Admin burn function in rUSDY.sol will be unavailable when user is blocklisted #176
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-136
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-09-ondo/blob/47d34d6d4a5303af5f46e907ac2292e6a7745f6c/contracts/usdy/rUSDY.sol#L672-L683
Vulnerability details
Impact
The
burn()
function which is only able to be called by the owner is used to burn rUSDY (shares) from any account.The burn function calls
_burnShares()
which has the_beforeTokenTransfer()
check implemented to ensure none of the actions include a non-whitelisted of restricted user.When calling
burn(address _account)
it's eventually passed as_beforeTokenTransfer(address _account)
where it's checked.If
_account
is blacklisted, the function will revert making the admin burn function unusable for that account.Proof of Concept
All provided above
Tools Used
Manual review
Recommended Mitigation Steps
When called via the admin burn function, skip the
_beforeTokenTransfer()
Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: