Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The ERC-5095 standard is not followed correctly #197

Closed
c4-bot-10 opened this issue Mar 1, 2024 · 5 comments
Closed

The ERC-5095 standard is not followed correctly #197

c4-bot-10 opened this issue Mar 1, 2024 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-210 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) 🤖_33_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-10
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L483-L484
https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L441-L443

Vulnerability details

Impact

Functionality is not working as expected

Proof of Concept

For the maxRedeem function, in EIP-5095 it is stated :

MUST factor in both global and user-specific limits, like if redemption is entirely disabled (even temporarily) it MUST return 0

Spectra has a pause function which can deactivate the Deposit, Redeem and Withdraw functions. The main problem is that when Redeem is paused the return value of maxRedeem should be 0 but in this case it is not, the return value of maxRedeem will still return what it usually does even when the Redeem function is disabled.

This happens because when the user call the maxRedeem function it will produce a return value from the _maxBurnable function. The code can be seen below :

    function maxRedeem(address owner) public view override returns (uint256) {
        return _maxBurnable(owner);

		
    function _maxBurnable(address _user) internal view returns (uint256 maxBurnable) {
        if (block.timestamp >= expiry) {
            maxBurnable = balanceOf(_user);
        } else {
            uint256 ptBalance = balanceOf(_user);
            uint256 ytBalance = IYieldToken(yt).balanceOf(_user);
            maxBurnable = (ptBalance > ytBalance) ? ytBalance : ptBalance;
        }
    }

As can be seen in the codebase, this function does not have a modifier or logic that differentiates when the main Redeem function is in pause / unpause state so whatever state the return value is in, it will still return what it usually does. This also applies to the maxDeposit function, that function also does not follow existing standards and has the same problem.

Because PrincipalToken must follow EIP-5095 is main invariant, this issue breaks the main invariant and there are not just one but two functions that do not follow the existing standard. It can be concluded :

Impact: Medium, as functionality is not working as expected but without a value loss

Likelihood: Medium, as multiple methods are not compliant with the standard

Tools Used

Manual review

Recommended Mitigation Steps

Go through the standards and follow it all.

Assessed type

Other
@c4-bot-10 c4-bot-10 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 1, 2024
c4-bot-10 added a commit that referenced this issue Mar 1, 2024
@c4-bot-10
0xDemon issue #197
b87dde2
@c4-bot-13 c4-bot-13 added the 🤖_33_group AI based duplicate group recommendation label Mar 1, 2024
@c4-pre-sort
Copy link

gzeon-c4 marked the issue as duplicate of #33

@c4-pre-sort
Copy link

gzeon-c4 marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Mar 3, 2024
@c4-judge
Copy link
Contributor

JustDravee marked the issue as partial-50

@c4-judge c4-judge added partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) and removed partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) labels Mar 11, 2024
@c4-judge
Copy link
Contributor

JustDravee marked the issue as satisfactory

@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards duplicate-210 and removed duplicate-33 labels Mar 11, 2024
@c4-judge
Copy link
Contributor

JustDravee marked the issue as partial-50

@c4-judge c4-judge added partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) and removed satisfactory satisfies C4 submission criteria; eligible for awards labels Mar 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-210 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) 🤖_33_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c4-judge @c4-pre-sort @c4-bot-10 @c4-bot-13