search

code-423n4 / 2024-02-spectra-findings

4 stars 2 forks source link

PT and its YT will not have an equal supply at all times #256

Closed c4-bot-10 closed 9 months ago

c4-bot-10 commented 9 months ago

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/YieldToken.sol#L58-L61

Vulnerability details

Impact

The Spectra protocol listed this invariant as one of the main invariants of the protocol:

PT and its YT should have an equal supply at all times

However, the YieldToken contract's burn function allows users to violate this invariant easily.

Proof of Concept

The burn function in the YieldToken contract is public for anyone to call:

    function burn(uint256 amount) public override {
        IPrincipalToken(pt).updateYield(msg.sender);
        _burn(msg.sender, amount);
    }

This function will update the user yield, then burn the given amount directly. Thus, when user burn any amount of YieldToken, the code will goes against its specification and breaks an invariant of the protocol.

This function first updates the user's yield and then directly burns the specified amount of tokens. Consequently, any token burn by a user will go against the code specification and breaks an invariant of the protocol.

Tools Used

Manual review

Recommended Mitigation Steps

Consider preventing users from burning tokens.

Assessed type

Invalid Validation

c4-pre-sort commented 9 months ago

gzeon-c4 marked the issue as duplicate of #114

c4-pre-sort commented 9 months ago

gzeon-c4 marked the issue as sufficient quality report

c4-judge commented 8 months ago

JustDravee marked the issue as unsatisfactory: Invalid