Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blacklisted user can burn tokens during WHITELIST_ENABLED state #15

Open
c4-bot-9 opened this issue Nov 11, 2024 · 5 comments
Open

Blacklisted user can burn tokens during WHITELIST_ENABLED state #15

c4-bot-9 opened this issue Nov 11, 2024 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-01 primary issue Highest quality submission among a set of duplicates 🤖_03_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report

Comments

@c4-bot-9
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-11-ethena-labs/blob/e93ee09b10f900bd3be385f392c80920898bf53e/contracts/ustb/UStb.sol#L199

Vulnerability details

Finding description and impact

Blacklisted user can burn tokens during WHITELIST_ENABLED state. This breaks the main invariant from the README. This could become an issue when the admin tries to redistribute the blacklisted user's UStb balance using redistributeLockedAmount() but the blacklisted user frontruns it with a burn.

Proof of Concept

According to the comment here, it is possible for an address to be whitelisted and blacklisted at the same.

During the WHITELIST_ENABLED state, the code block below is checked when burning tokens to ensure only whitelisted addresses can burn their tokens. But since blacklisted users also have the whitelisted role as per the comment above, the condition evaluates to true and allows the blacklisted address to burn tokens.

File: UStb.sol
208:             } else if (hasRole(WHITELISTED_ROLE, msg.sender) && hasRole(WHITELISTED_ROLE, from) && to == address(0)) {
209:                 // whitelisted user can burn

Recommended mitigation steps

Add the conditions !hasRole(BLACKLISTED_ROLE, msg.sender) and !hasRole(BLACKLISTED_ROLE, from) to the check.
@c4-bot-9 c4-bot-9 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 11, 2024
c4-bot-4 added a commit that referenced this issue Nov 11, 2024
@c4-bot-4
MrPotatoMagic issue #15
9992598
@c4-bot-13 c4-bot-13 added the 🤖_03_group AI based duplicate group recommendation label Nov 11, 2024
@c4-judge
Copy link

0xEVom marked the issue as duplicate of #3

@c4-judge
Copy link

0xEVom marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Nov 12, 2024
@mcgrathcoutinho
Copy link

Hi @0xEVom, could you please select this report as the primary selected for report?

Other than specifying what the primary issue mentions, this issue also includes an additional scenario in the impact section where the blacklisted user can frontrun the admin's restributeLockedAmount() call, effectively depriving the admin from redistributing the tokens to a non-blacklisted address to serve its intended purpose.

Thank you for your time!

@0xEVom
Copy link

0xEVom commented Nov 21, 2024

@mcgrathcoutinho agree that this could be seen as an additional impact. The DEFAULT_ADMIN_ROLE cannot immediately sidestep this and mint tokens to the recipient of the redistribution, but is forced to coordinate with the MINTER_ROLE.

@c4-judge c4-judge mentioned this issue Nov 21, 2024
Closed
@c4-judge
Copy link

0xEVom marked the issue as selected for report

@c4-judge c4-judge reopened this Nov 21, 2024
@c4-judge c4-judge added primary issue Highest quality submission among a set of duplicates selected for report This submission will be included/highlighted in the audit report labels Nov 21, 2024
@C4-Staff C4-Staff added the M-01 label Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-01 primary issue Highest quality submission among a set of duplicates 🤖_03_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@c4-judge @mcgrathcoutinho @C4-Staff @c4-bot-9 @0xEVom @c4-bot-13