Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tranche members can freely mint Tranche tokens and drain Escrow #183

Closed
c4-submissions opened this issue Sep 13, 2023 · 6 comments
Closed

Tranche members can freely mint Tranche tokens and drain Escrow #183

c4-submissions opened this issue Sep 13, 2023 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue low quality report This report is of especially low quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/token/Tranche.sol#L72
https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L231
https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/InvestmentManager.sol#L148
https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/InvestmentManager.sol#L255

Vulnerability details

Impact

Approved members of Tranche can mint Tranche tokens to themselves and drain the Escrow.

Proof of Concept

mint() in Tranche.sol lacks access control for the caller. restricted modifier only enforces to is an approved member of the Tranche.

    function mint(address to, uint256 value) public override restricted(_msgSender(), to, value) {
        return super.mint(to, value);
    }

Consider following scenario:

  1. A malicious user initiates a minimal investment in a Tranche, successfully becoming an approved member
  2. Once user is approved, he can freely mint Tranche tokens to himself.
  3. Subsequently, the user invokes the requestRedeem() function on the LiquidityPool contract.
  4. requestRedeem() on InvestmentManager is triggered, and user supplies Tranche tokens.
  5. User is able to receive payout at epoch execution incoming message handleExecutedCollectRedeem().

Add following PoC to Tranche.t.sol:

    function testMintTokenForApprovedMembers() public {

        address attacker = makeAddr("attacker");

        //@note: attacker investment steps have been omitted for clarity in this test.
        //Assume the attacker has invested the minimum amount through the appropriate channel.
        //Following the investment, the attacker is now an approved member.
        restrictionManager.updateMember(attacker, block.timestamp + 100);
        bool member = restrictionManager.hasMember(attacker);
        console.log(member);

        //User can freely mint Tranche Token
        token.mint(attacker, 10000);
        uint256 bal = token.balanceOf(attacker);
        assertEq(bal, 10000);
    }

Tools Used

Manual Review/Foundry

Recommended Mitigation Steps

-   function mint(address to, uint256 value) public override restricted(_msgSender(), to, value) {
+   function mint(address to, uint256 value) public override auth restricted(_msgSender(), to, value) {
        return super.mint(to, value);
    }

Assessed type

Invalid Validation
@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Sep 13, 2023
c4-submissions added a commit that referenced this issue Sep 13, 2023
@c4-submissions
HChang26 issue #183
33ef180
@c4-pre-sort
Copy link

raymondfam marked the issue as low quality report

@c4-pre-sort c4-pre-sort added the low quality report This report is of especially low quality label Sep 15, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #14

@c4-judge
Copy link

gzeon-c4 marked the issue as duplicate of #779

@c4-judge
Copy link

gzeon-c4 changed the severity to 2 (Med Risk)

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Sep 26, 2023
@c4-judge c4-judge reopened this Sep 26, 2023
@c4-judge
Copy link

gzeon-c4 marked the issue as not a duplicate

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Sep 26, 2023
@c4-judge
Copy link

gzeon-c4 marked the issue as unsatisfactory:
Invalid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue low quality report This report is of especially low quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-pre-sort @c4-submissions