Skip to content
This repository has been archived by the owner on Jul 14, 2024. It is now read-only.

chaduke - LibUbiquityPool.collectRedemption() lacks modifier collateralEnabled(collateralIndex). #23

Closed
sherlock-admin opened this issue Jan 10, 2024 · 2 comments
Closed

chaduke - LibUbiquityPool.collectRedemption() lacks modifier collateralEnabled(collateralIndex). #23

sherlock-admin opened this issue Jan 10, 2024 · 2 comments
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jan 10, 2024
edited
Loading

chaduke

medium

LibUbiquityPool.collectRedemption() lacks modifier collateralEnabled(collateralIndex).

Summary

LibUbiquityPool.collectRedemption() lacks modifier collateralEnabled(collateralIndex). As a result, even when a collateral is disabled, a user can still collected the redeemed collateral.

Vulnerability Detail

The redeeming of collateral takes two steps: 1. redeemDollar() and 2 collectRedemption().

These two steps cannot be be performed in the same block to avoid flashload manipulation.

While the redeemDollar() has the collateralEnabled(collateralIndex) modifier, the collectRedemption() does not.
As a result, if the collateral is disabled between the two steps to disable redeeming. The disnabling will fail since the second does not have the modifier collateralEnabled(collateralIndex). The user will still be able to complete the redemption process.

Impact

LibUbiquityPool.collectRedemption() lacks modifier collateralEnabled(collateralIndex). The admin/owner cannot stop the redeeming process of two steps once the first step is completed. Even a collateral is disabled, a user can still call LibUbiquityPool.collectRedemption() to collect the collateral. Stopping the collateral transfer will not succeed.

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/libraries/LibUbiquityPool.sol#L476-L517

Tool used

VScode

Manual Review

Recommendation

Add the modifier collateralEnabled(collateralIndex) to LibUbiquityPool.collectRedemption()
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jan 14, 2024
@sherlock-admin2
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

It's protocol decision

@sherlock-admin2 sherlock-admin2 mentioned this issue Jan 14, 2024
Closed
@github-actions github-actions bot added the Has Duplicates A valid issue with 1+ other issues describing the same vulnerability label Jan 16, 2024
This was referenced Jan 16, 2024
Closed
Closed
Closed
@nevillehuang
Copy link
Collaborator

Invalid, in redeemDollar(), the collateralEnabled() is already performed., where in the the redeemCollateralBalances mapping for that particular collateral Index has been incremented ass seen here. Then there will be a check that this value is greather than zero in collectRedemption here.

If collateral is not enabled, this will result in no tokens being transferred to user since they cannot call redeemDollar() in the first place. For any pending redemptions, it is still users right to collect redemption, so no issue here.

@sherlock-admin sherlock-admin changed the title Damp Fossilized Canary - LibUbiquityPool.collectRedemption() lacks modifier collateralEnabled(collateralIndex). chaduke - LibUbiquityPool.collectRedemption() lacks modifier collateralEnabled(collateralIndex). Jan 24, 2024
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jan 24, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nevillehuang @sherlock-admin @sherlock-admin2