search

sherlock-audit / 2024-03-zivoe-judging

8 stars 6 forks source link

Ironsidesec - max JTT mint (`isJuniorOpen`) can be breached at the epoch end. #696

Closed sherlock-admin3 closed 6 months ago

sherlock-admin3 commented 6 months ago

Ironsidesec

medium

max JTT mint (isJuniorOpen) can be breached at the epoch end.

Summary

It is possible when the time is near the epoch end time. This issue cannot be ruled out as out of scope because redemptions are involved, even if you implement redemption fees the atatcker will still do it. And any fix there cannot solve this issue, but to block the junior deposits based on cooldown period feature recommended on recommendation section.

Vulnerability Detail

https://github.com/sherlock-audit/2024-03-zivoe/blob/01e00e6f27b58392a6fa0b82c84a46a783a0df3c/zivoe-core-foundry/src/ZivoeTranches.sol#L281

File: 2024-03-zivoe\zivoe-core-foundry\src\ZivoeTranches.sol

275:     function depositJunior(uint256 amount, address asset) public notPaused nonReentrant {
276:         require(
277:             IZivoeGlobals_ZivoeTranches(GBL).stablecoinWhitelist(asset),
278:             "ZivoeTranches::depositJunior() !IZivoeGlobals_ZivoeTranches(GBL).stablecoinWhitelist(asset)"
279:         );
280:         require(tranchesUnlocked, "ZivoeTranches::depositJunior() !tranchesUnlocked");
281:
282:         address depositor = _msgSender();
283:
284:         IERC20(asset).safeTransferFrom(depositor, IZivoeGlobals_ZivoeTranches(GBL).DAO(), amount);
285:        
286:         uint256 convertedAmount = IZivoeGlobals_ZivoeTranches(GBL).standardize(amount, asset);
287:
288:  >>>    require(isJuniorOpen(amount, asset),"ZivoeTranches::depositJunior() !isJuniorOpen(amount, asset)");
289:
290:         uint256 incentives = rewardZVEJuniorDeposit(convertedAmount);
291:         emit JuniorDeposit(depositor, asset, amount, incentives);
292:
293:         // Ordering important, transfer ZVE rewards prior to minting zJTT() due to totalSupply() changes.
294:         IERC20(IZivoeGlobals_ZivoeTranches(GBL).ZVE()).safeTransfer(depositor, incentives);
295:         IERC20Mintable_ZivoeTranches(IZivoeGlobals_ZivoeTranches(GBL).zJTT()).mint(depositor, convertedAmount);
296:     }

Attack path:

  1. its 28 th day of epoch
  2. And JTT is not open because its in the limit ratio of STT
  3. So, an attacker can mint STT which will open JTT minting again, so mint some JTT again
  4. Then call redemption request for the minted STT tokens alone. Then wait for few seconds to start a new epoch, and claim the redemption of minted STT back to stables.

So right now, the JTT limit is already breached.

Impact

Code Snippet

https://github.com/sherlock-audit/2024-03-zivoe/blob/01e00e6f27b58392a6fa0b82c84a46a783a0df3c/zivoe-core-foundry/src/ZivoeTranches.sol#L281

Tool used

Manual Review

Recommendation

Maybe block the junior deposit for at least a day if the limit is hit. Think of it as having a cool down period.

pseudonaut commented 6 months ago

Redemption? OCR_Modular is not in scope

sherlock-admin4 commented 6 months ago

1 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, redemptions (OCR_Modular) is out of scope