Users can prevent the burning of their tokens if their USDY is supposed to be taken/seized by the protocol. #100
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-136
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-09-ondo/blob/main/contracts/usdy/rUSDY.sol#L678
Vulnerability details
Impact
Proof of Concept
The purpose of the
rUSDY:burn()
can be thought of as a mean for the protocol to seize funds from accounts who are not allowed to own USDY (see sponsor's explanation).The problem with the existing logic is that the account must not be blacklisted/sanctioned and it has to be allowed, the reason is because to burn the shares, the _burnShares() is called, and in this function, the _beforeTokenTransfer() function is called, inside the _beforeTokenTransfer() is verified if the account is blacklisted/sanctioned or not allowed to execute operations.
So, if the account must be allowed in order for the burning operation to be executed, that means that the account's owner can also execute transfers of rUSDY to another accounts and unwrap the rUSDY for USDY.
burn() => _burnShares() => _beforeTokenTransfer()
Tools Used
Manual Audit
Recommended Mitigation Steps
_burnShares()
so that depending on the reason to burn shares will check or not that the account is blacklisted/sanctioned._burnShares()
that will indicate to the function if needs to check the account status (blacklisted/sanctioned) or not.burn()
, the account check should not be done, and the burning should be executed anyways, but if the burning is coming from another function, like theunwrap()
, then the account check should be done.Assessed type
Timing
The text was updated successfully, but these errors were encountered: