WarTech9
commented
1 year ago There is no requirement to track user deposits as the intention is for users to deposit to mint UXD stablecoin, so can be redeemed for the equivalent value of asset at a later time. Some interesting conditions can occur if all of one asset is redeemed as you point out, but this is more of an edge-case as UXD is to be used in DeFi and other applications making redeeming all of one asset unlikely.
hrishibhat
joestakey
medium
When redeeming, users can choose a different
assetTokenthan the one they deposited, potentially making some users unable to redeemSummary
users can choose a different
assetTokenthan the one they deposited, potentially grieving other users.Vulnerability Detail
When a user calls
redeem()to redeem theirUXDagainst an asset, they can specify theassetTokenthey want to receive in the function parameter. They can specify the asset they want, ie not necessarily the one they deposited when they minted. Consequently, some user( or users) will be "forced" to receive a differentassetTokenthan the ones they deposited.Though bad for user experience/expectations, this on its own does not lead to any loss (even if the
assetTokenis different, the value is equivalent).The issue is for users who are blacklisted by USDC. Let us look at the following example:
NUXDNUXDNUXD for WETHredeem(), the call reverts here because of the USDC blacklist.Impact
Some users may be unable to redeem.
Code Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDController.sol#L312-L340
Tool used
Manual Review
Recommendation
You can consider using a mapping to track which
assetTokenhas been deposited by a user. But this would limit the user to deposit one type of collateral. Another solution would be to use a different UXDcontroller for each collateral, and tracking the amount ofUXDminted by a user, to ensure they do not redeem more than what they have minted on a given controller.