Open c4-bot-2 opened 8 months ago
Picodes marked the issue as primary issue
othernet-global (sponsor) disputed
In order to receive the airdrop, users will need to vote on the BootstrapBallot and satisfy the same geo restrictions as for general exchange access.
Picodes changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/staking/Staking.sol#L130-L138
Vulnerability details
Bug Description
The Salty protocol's staking functionality, managed by the
Staking.sol
contract, is designed to restrict XSalt (staked salt) possession to users with access to the exchange. This restriction is enforced in thestakeSALT()
function, which requires users to have exchange access to stake salt.However, this access check is overlooked in the airdrop distribution process. The
transferStakedSaltFromAirdropToUser()
function, responsible for transferring XSalt from the airdrop to users, does not verify if the recipient is permitted to access the exchange.Impact
This oversight allows users without exchange access (e.g., users from blacklisted countries) to hold XSalt, bypassing the protocol's intended restrictions.
Proof of Concept
The issue can be demonstrated as follows:
The test must be added to
/launch/tests/Airdrop.t.sol
and can be run by callingCOVERAGE="yes" NETWORK="sep" forge test -vvvv --rpc-url https://rpc.sepolia.org --match-test "testClaimAirdropNoAccess"
.The provided test case needs to be modified by commenting out
grantAccessAlice();
in Line 115 of the file to simulate the situation where a user without exchange access successfully claims the airdrop.Tools Used
Manual Review
Recommended Mitigation Steps
To rectify this issue, a check should be added in the
transferStakedSaltFromAirdropToUser()
function to ensure that the recipient has access to the exchange. This can be implemented as follows:By implementing this check, the protocol will enforce its access restrictions consistently across both staking and airdrop distribution, ensuring that only eligible users can hold XSalt.
Assessed type
Invalid Validation