search

code-423n4 / 2024-02-spectra-findings

4 stars 2 forks source link

Function `claimFees()` can be called even when contrac is paused #132

Closed c4-bot-10 closed 8 months ago

c4-bot-10 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L329-L336

Vulnerability details

Impact

The PrincipalToken inherits from PausableUpgradeable, thus it can be paused. One of the function - claimFees(), however, does not implement whenNotPaused modifier - meaning, that it's possible to claim the collected ibt fees and redeem them to the fee collector - even when the contract is paused.

Proof of Concept

File: PrincipalToken.sol

    function claimFees() external override returns (uint256 assets) {
        if (msg.sender != IRegistry(registry).getFeeCollector()) {
            revert UnauthorizedCaller();
        }
        uint256 ibts = unclaimedFeesInIBT;
        unclaimedFeesInIBT = 0;
        assets = IERC4626(ibt).redeem(ibts, msg.sender, address(this));
        emit FeeClaimed(msg.sender, ibts, assets);
    }

As demonstrated above, function claimFees() misses the whenNotPaused modifier - thus it's possible to call it even when the contract is paused.

  1. Pause PricinpalToken
  2. Call claimFees()

Because claimFees() does not verify if contract is paused - it's possible to call this function even on the paused contract.

Tools Used

Manual code review

Recommended Mitigation Steps

Add whenNotPaused modifier to claimFees() function. It should not be possible to call this function when contract is paused.

Assessed type

Access Control

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as duplicate of #7

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as sufficient quality report

c4-judge commented 8 months ago

JustDravee marked the issue as unsatisfactory: Invalid