Open hats-bug-reporter[bot] opened 1 week ago
Thank you for your report on potential loss of user collateral sent directly to the treasury address. After review, we've determined this is not an issue.
The StandardTreasury is designed to reject transfers unless they include specifically formatted data, which prevents accidental direct transfers. This behavior is documented and intentional.
We appreciate your thorough examination of our contract interactions and your concern for user fund safety. Your attention to potential edge cases contributes to the overall security of the system. Thank you for your valuable input in this security review.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x76763b7a63f9fbc9d3381e6c56951f3f29fc8752ffc49da36ea30d4aceb37ae7 Severity: high
Description: Description\ If the user directly sent the collateral or tokens to treasury address bypassing the
Hub contract
then it would result in loss of users collateral as only Hub contract can mint the group circles to users after receiving the collateral. As per documentation:_groupMint()
used ingroupMint()
function is implemented as:This function first transfers the colletral from user to treasury vault contract and after that mint the group circle to user's
receiver
address.Impact\ Due to non-restriction on use of
safeBatchTransferFrom()
inHub.sol
, if the user directly use it then his collateral would be lost. This is also mentioned in documenatation.The impact is loss of users collateral or stucked of tokens, therefore issue is high severity.
Recommendation to fix Restrict the access of
hub.safeBatchTransferFrom()
function to treasury of vault address i.e it should only be called byStandardTreasury.sol
contract to prevent this issue.For example,
burn()
inHub.sol
can only be called by treasury of vault address i.eStandardTreasury.sol
which can be seen as below: