In order to send redeemed funds to other receipient owner have to provide full allowance to it #217
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
edited-by-warden
high quality report
This report is of especially high quality
primary issue
Highest quality submission among a set of duplicates
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/UserEscrow.sol#L38-L45
Vulnerability details
Impact
In order to send redeemed funds to other receipient owner have to provide full allowance to it
Proof of Concept
When user requests redeem, then assets are sent to the user escrow.
Then when user redeems, he can provide other
recipient
of assets.In order to send assets to the recipient
userEscrow.transferOut
function is called.https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/UserEscrow.sol#L36-L50
As you can see in case if
receiver != destination
, then function checks thatdestination
has provided max allowance to thereceiver
.This is wrong for several reasons. User doesn't need to provide allowance as it's his choice to whom he send redeemed assets. Because it's only
destination
user can initiate redeem, then he shouldn't provide allowance.Another concern, is that in case if i need to send assets to someone and i decided that it's more convinient for me to do through redeem, then i will provide max allowance to the
recipient
. At this moment i have a risk, that he will steal assets that i already have on balance.Also as LiquidityPool is extending ERC4626, there is no such requirement for assets receiver.
Tools Used
VsCode
Recommended Mitigation Steps
I don't see the need of allowance check.
Assessed type
Error
The text was updated successfully, but these errors were encountered: