Not resetting totalBurned in CashManger will break user redemptions #291
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-325
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/cash/CashManager.sol#L721-L724
Vulnerability details
Not resetting totalBurned in CashManger will break user redemptions
The current implementation in CashManager.completeRedemptions is not updating the totalBurned amount in an epoch if there was a refund.
The problem is, that if not all user redemptions can be processed in a single call per epoch it will break the withdraws for all users that are processed in the second call for the epoch as they will receive less tokens.
Scenario:
The users in the second transaction will now get less tokens than the users processed in the first transaction.
Proof of Concept
The following test should succeed, but Bob only gets 130666666 instead of 147000000 tokens and so it fails.
Add Test to File: forge-tests/cash/cash_manager/Redemption.t.sol
Tools Used
Manual review
Recommended Mitigation Steps
Update the totalBurned amount for the epoch after the refunds.
The text was updated successfully, but these errors were encountered: