search

code-423n4 / 2024-02-spectra-findings

4 stars 2 forks source link

Missing checks for sequencer up #56

Closed c4-bot-3 closed 8 months ago

c4-bot-3 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L29

Vulnerability details

Impact

The protocol lacks sufficient checks to verify the status of the sequencer before executing critical operations. However, without proper checks to ensure that the sequencer is always operational and up-to-date, the protocol may inadvertently expose itself to various risks and vulnerabilities.

Proof of Concept

Below is a POC

  1. Alice wants to withdraw 100 IBT tokens, she expects to receive the equivalent amount of PT and YT shares before withdraw
  2. The withdraw function checks the current market rates for IBT to PT conversion to ensure appropriate amount of PT shares based on those rates.
  3. sequencer is down and cannot complete the operation
  4. sequencer is now back and the current market rates have dipped making Alice complete withdrawal but with bad rates

Tools Used

manual review

Recommended Mitigation Steps

Develop contingency plans and emergency actions to handle situations where the sequencer is unavailable or compromised. This could involve temporary suspension of critical operations, activating emergency modes like emergency withdraw, or transitioning to alternative sequencing mechanisms.

Assessed type

Other

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as insufficient quality report

c4-judge commented 8 months ago

JustDravee marked the issue as unsatisfactory: Invalid