search

code-423n4 / 2024-02-spectra-findings

4 stars 2 forks source link

Non compliance with ERC standards #61

Closed c4-bot-7 closed 8 months ago

c4-bot-7 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L483

Vulnerability details

The maxRedeem functions should return the 0 when the withdrawal is paused. But here, it's returning _maxBurnable(owner).

Proof of Concept

According to the ERC-5095 standards:

    MUST factor in both global and user-specific limits, like if redemption is entirely disabled (even temporarily) it MUST return 0.

But inside the Principal token contract, the function can be called even if the contract is paused.

File: PrincipalToken.sol

483:   function maxRedeem(address owner) public view override returns (uint256) {
           return _maxBurnable(owner);
       }

Tools Used

Manual Review & ERC-5095

Recommended Mitigation Steps

Add whenNotPaused modifier in maxRedeem function.

File: PrincipalToken.sol

483:   function maxRedeem(address owner) public view override whenNotPaused returns (uint256) {
           return _maxBurnable(owner);
       }

Assessed type

Error

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as primary issue

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as duplicate of #33

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as sufficient quality report

c4-judge commented 8 months ago

JustDravee marked the issue as partial-25

c4-judge commented 8 months ago

JustDravee marked the issue as satisfactory

c4-judge commented 7 months ago

JustDravee marked the issue as partial-25

Shubh0412 commented 7 months ago

@JustDravee Wondering why this is partial-25 whereas issue #116 is partial-75?

JustDravee commented 7 months ago

@Shubh0412 because that person had several submissions under the duplicated finding and I totaled them