Skip to content

User can be added back to KYCed list after being removed using removeKYCAddresses #12

New issue
New issue
Closed
Closed
User can be added back to KYCed list after being removed using removeKYCAddresses#12
Labels
2 (Med Risk)Assets not at direct risk, but function/availability of the protocol could be impacted or leak valuebugSomething isn't workingduplicate-187partial-50Incomplete articulation of vulnerability; eligible for partial credit only (50%)
@code423n4

Description

@code423n4
code423n4
opened on Jan 12, 2023

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/cash/kyc/KYCRegistry.sol#L79-L112
https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/cash/kyc/KYCRegistry.sol#L175

Vulnerability details

Impact

A user that should be removed from the KYC list can be added back to the KYCed list using addKYCAddressViaSignature() until the signature expires.

Proof of Concept

  • User submits KYC documents and gets a valid signature
  • User submits the signature to get whitelisted using addKYCAddressViaSignature()
  • Team revokes KYC using removeKYCAddresses
  • User resubmits signature using addKYCAddressViaSignature(), the address will be added back to the whitelist

Tools Used

Manual review

Recommended Mitigation Steps

I recommend adding a storing and checking for used signatures to prevent them from being reused. It's also lacking a mechanism to revoke not used signatures.

Metadata

Metadata

Assignees

No one assigned

    Labels

    2 (Med Risk)Assets not at direct risk, but function/availability of the protocol could be impacted or leak valuebugSomething isn't workingduplicate-187partial-50Incomplete articulation of vulnerability; eligible for partial credit only (50%)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions