Closed c4-submissions closed 11 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #43
fatherGoose1 marked the issue as unsatisfactory: Invalid
Hi @fatherGoose1, this is not a duplicate of #43, whereby the withdrawal function is missing.
This is a case of escaping the admin burnFrom function, whereby users can evade the burn by frontrunning the admin (as stated in this issue).
A similar issue that was previously judged as medium is the Ethena M-01 issue: stakers can bypass restrictions, issue 499.
Thanks for your time and effort!
@cryptostaker2 I was the judge for Ethena. Ethena imposed restrictions to avoid legal disputes. No such safeguards are in place for Kelp, and front-running a burnFrom()
call is possible for all tokens.
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/RSETH.sol#L54-L56 https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/release-v4.7/contracts/token/ERC20/ERC20Upgradeable.sol#L1
Vulnerability details
Proof of Concept
rsETH is an upgradeable ERC20 contract. The mint function is exposed but the burn function is not, meaning that the users cannot burn their rsETH. However, there is a burnFrom function in rsETH, where the admin with the BURNER_ROLE can burn rsETH from any account.
Should the admin intend to burn from an account, that account has 3 options to protect their rsETH.
(Assume OpenZeppelin version <5.0)
Impact
Users can escape burning in the event that the admin intends to burn rsETH from an account.
Tools Used
Manual Review
Recommended Mitigation Steps
A better way to prevent users from escaping the burn is to blacklist the potential accounts that has rsETH that needs to be burned. Then, restrict their functionality through the token transfer hooks or overriding the new _update function (if using Openzeppelin 5.0 and up). Restrict the transfer and approve function so that the blacklisted accounts cannot transfer their tokens away, trade the rsETH off or approve another account.
Assessed type
ERC20