Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing check in PoolManager.addTranche() if the decimals for a new tranch are <= MAX_CURRENCY_DECIMALS can lead to stuck stable coins #219

Open
c4-submissions opened this issue Sep 13, 2023 · 3 comments
Open

Missing check in PoolManager.addTranche() if the decimals for a new tranch are <= MAX_CURRENCY_DECIMALS can lead to stuck stable coins #219

c4-submissions opened this issue Sep 13, 2023 · 3 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-123 grade-a low quality report This report is of especially low quality QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/PoolManager.sol#L192-L212

Vulnerability details

Impact

It is possible to mint tranch tokens that have more than 18 decimals. This would break all calculations in investmentManager where values are converted from tranch token decimals to PRICE_DECIMALS and back and will lead to stuck stable coins in escrow.

Proof of Concept

In PoolManager the constant of MAX_CURRENCY_DECIMALS = 18 is used to prevent adding stable coins to the allow list that have more than 18 decimals. When creating a new tranch and thereby setting the decimal of the future tranch token there is no such check, meaning that it is possible to create a tranch with decimals of more than 18. This would lead to a tranch token with more than 18 decimals. Since functions like InvestmentManager._toPriceDecimals depend on the decimals of the tranch token to be <=18, this functions will revert and will result use funds been stuck in Escrow.

Example:
If a pool has a tranch token with more than 18 decimals, users can still call requestDeposite and try to invest in the pool. By calling this function, their stable coins they want to deposit to the pool will be send to escrow and a message with the deposit request will be send to centrifuge. Once the epoch of the centrifuge pool is over, the deposit request will be processed by centrifuge and a message with the identifier handleExecutedCollectInvest will be send to the gateway. This message will call InvestmentManger.handleExecutedCollectInvest which calls function call _toPriceDecimals. _toPriceDecimals will revert with an underflow because it cannot handle the decimals of the tranch token that are bigger than 18.

        value = uint256(_value) * 10 ** (PRICE_DECIMALS - decimals);

This means that the deposit of the user will never be finished and the stable coins that he sent to escrow will be stuck for ever.

Tools Used

Manual review

Recommended Mitigation Steps

Add a check to PoolManager.addTranche() that ensures that the decimals for the new tranch are <= MAX_CURRENCY_DECIMALS

Assessed type

Decimal
@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Sep 13, 2023
c4-submissions added a commit that referenced this issue Sep 13, 2023
@c4-submissions
BARW issue #219
7cf7c99
@c4-pre-sort
Copy link

raymondfam marked the issue as low quality report

@c4-pre-sort c4-pre-sort added the low quality report This report is of especially low quality label Sep 15, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #123

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Sep 25, 2023
@c4-judge
Copy link

gzeon-c4 changed the severity to QA (Quality Assurance)

@gzeon-c4 gzeon-c4 mentioned this issue Sep 28, 2023
Open
@C4-Staff C4-Staff reopened this Oct 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-123 grade-a low quality report This report is of especially low quality QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c4-judge @c4-pre-sort @C4-Staff @c4-submissions