Closed sherlock-admin4 closed 4 months ago
1 comment(s) were left on this issue during the judging contest.
WildSniper commented:
low | this is the case with any on-chain pausing functionality &&
withdrawToken()
is called only from permissioned actor.
Bigsam
medium
Lack of Modifier onlyGreenlisted(msg.sender) in function withdrawToken will make frontrunning of admin who calls blacklist/pause while the malicious user withdraws his token succesfully.
Summary
Because o the missing check onlyGreenlisted(msg.sender) A malicious actor can front-run the admin who calls blacklist/pause function and redeem all his imbill tokens successfully. Also a malicious user who has done his KYC and AML who acquires Imbill tokens through hacking on another platform can potentially redeem them before the admin is aware or even if the admin is aware and they are blacklisted. After successfully front running the admin according to the docs, withdraw is computed off-chain and for USDC token it is executed on-chain.
https://docs.midas.app/protocol-mechanics/how-it-works/issuance-and-redemption#:~:text=Redemption%20requests%20are,additional%20business%20days.
While i want to believe other checks are done offchain to prevent this for off chain redemption, the function withdrawToken in ManageableVault.sol (ON-CHAIN) fails to query the address we are withdrawing to, hence a blacklisted account can get paid if he fronts-run the admin.
Vulnerability Detail
Fronting the admin because of a lack of verification on the address withdrawTo can allow a blacklisted account to redeem imbill tokens against protocol design. Even though KYC is conducted before deposits and redemptions, a malicious user can exploit the time gap between acquiring stolen tokens and the admin blacklisting them. This allows the attacker to:
Impact
A blacklisted accounts withdrwawal request is processed successfully and Stolen Imbill tokens can be redeemed and withdrawn by malicious actors before they are blacklisted. ALL this is possible because of a missing modifier on https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/abstract/ManageableVault.sol#L92-L96
Code Snippet
https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/RedemptionVault.sol#L57-L77
https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/abstract/ManageableVault.sol#L151-L157
https://github.com/sherlock-audit/2024-05-midas/blob/main/midas-contracts/contracts/abstract/ManageableVault.sol#L86-L100
Tool used
Manual Review
Recommendation
To mitigate this vulnerability, the following recommendations are suggested: