Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Principal Token is not ERC-5095 compliant #235

Closed
c4-bot-1 opened this issue Mar 1, 2024 · 6 comments
Closed

The Principal Token is not ERC-5095 compliant #235

c4-bot-1 opened this issue Mar 1, 2024 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-210 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) 🤖_33_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-1
Copy link
Contributor

c4-bot-1 commented Mar 1, 2024

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L806-L808
https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L483-L485
https://github.com/code-423n4/2024-02-spectra/blob/main/src/tokens/PrincipalToken.sol#L460-L462

Vulnerability details

Impact

The Principal Token deviate from the ERC-5095 specification which may break external integrations.

Proof of Concept

ERC-5095 stipulates:

MUST support a redeem flow where the Principal Tokens are burned from holder directly where holder is msg.sender or msg.sender has EIP-20 approval over the principal tokens of holder.

However, the PrincipalToken.redeem function calls the _beforeRedeem function:

    function _beforeRedeem(uint256 _shares, address _owner) internal nonReentrant whenNotPaused {
        if (_owner != msg.sender) {
            revert UnauthorizedCaller();
        }
    }

This reverts if the owner is not the sender, thus violating ERC5095.

ERC-5095 also states:

MUST factor in both global and user-specific limits, like if redemption is entirely disabled (even temporarily) it MUST return 0.

As previously explained, the PrincipalToken.redeem calls the _beforeRedeem function, which has a whenNotPaused modifier, meaning redemption can be paused by the owner.

However, the maxRedeem function will return maxBurnable of the user if redemption is paused:

    function maxRedeem(address owner) public view override returns (uint256) {
        return _maxBurnable(owner);
    }

It's important to note the same issue exists in the maxWithdraw function, as it will still call convertToUnderlying with the user's maxBurnable even if the contract is paused. maxWithdraw has a whenNotPaused modifier, which will revert, although the ERC clearly states:

MUST NOT revert.

Tools Used

Manual review

Recommended Mitigation Steps

Consider following the ERC-5095 specifications.

Assessed type

Other
@c4-bot-1 c4-bot-1 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 1, 2024
c4-bot-1 added a commit that referenced this issue Mar 1, 2024
@c4-bot-1
btk issue #235
7e592e2
@c4-bot-13 c4-bot-13 added the 🤖_33_group AI based duplicate group recommendation label Mar 1, 2024
@c4-pre-sort
Copy link

gzeon-c4 marked the issue as duplicate of #33

@c4-pre-sort
Copy link

gzeon-c4 marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Mar 3, 2024
@c4-judge c4-judge added the partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) label Mar 11, 2024
@c4-judge
Copy link
Contributor

JustDravee marked the issue as partial-50

@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards and removed partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) labels Mar 11, 2024
@c4-judge
Copy link
Contributor

JustDravee marked the issue as satisfactory

@c4-judge
Copy link
Contributor

JustDravee marked the issue as partial-50

@c4-judge c4-judge added partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) and removed satisfactory satisfies C4 submission criteria; eligible for awards labels Mar 14, 2024
@0xbtk
Copy link

0xbtk commented Mar 15, 2024

Hey @JustDravee, I believe I've mentioned all the lack of compliance, could you please elaborate on why this was marked partial?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-210 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) 🤖_33_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@c4-judge @c4-pre-sort @0xbtk @c4-bot-1 @c4-bot-13