Function redeemParams should return default value #189
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-79
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L235-#L239
Vulnerability details
Impact
Proof of Concept
The contract
JBXBuybackDelegate
is a data source and according to the doc: A data source contract can be used to provide custom data to the JBPayoutRedemptionPaymentTerminal3_1.pay(...) transaction and/or the JBPayoutRedemptionPaymentTerminal3_1.redeemTokensOf(...) transaction.Since
JBXBuybackDelegate
implements interfaceIJBFundingCycleDataSource
, it must override functionredeemParams
and the contract decides to leave it empty:Because the function is empty, if
JBXBuybackDelegate
is used as datasource for redeem, users would not be able to redeem their tokens, since the returnedreclaimAmount
fromredeemParams
is always 0.Although this contract
JBXBuybackDelegate
is meant to be used for pay only and not for redeem, the contract should also let function redeemParams return default value (to not interfere with redeem process) so that if a user useJBXBuybackDelegate
as datasource for redeem (it's perfectly possible since this contract implementsIJBFundingCycleDataSource
interface), the contract would not makereclaimedAmount = 0
, as recommended in the doc: https://docs.juicebox.money/dev/build/treasury-extensions/data-source/#examplesTools Used
Recommended Mitigation Steps
I recommend returning default values from
redeemParams
function as the code above.Assessed type
Library
The text was updated successfully, but these errors were encountered: