The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

No Access Control in Burning EUROs from Smart Vault Can Lead to Falsified Off-Chain Data

dyoff

[M-06] No Access Control in Burning EUROs from Smart Vault Can Lead to Falsified Off-Chain Data

Description

The SmartVaultV3::burn() method lacks access control measures, allowing anyone to burn minted EUROs instead of restricting this functionality to the owner. A potential exploit involves a malicious user creating a Smart Vault, depositing collateral, and minting EUROs. Subsequently, the attacker could call the SmartVaultV3::burn() method on someone else's Smart Vault, which also has minted EUROs. This action would alter the SmartVaultV3::minted variable, providing false data compared to the actual holdings.

function burn(uint256 _amount) external ifMinted(_amount) { // @audit lacks access control, missing "onlyOwner" modifier

uint256 fee = _amount * ISmartVaultManagerV3(manager).burnFeeRate() / ISmartVaultManagerV3(manager).HUNDRED_PC();

minted = minted - _amount; // @audit vulnerability: potential for unauthorized manipulation of 'minted'

EUROs.burn(msg.sender, _amount);

IERC20(address(EUROs)).safeTransferFrom(msg.sender, ISmartVaultManagerV3(manager).protocol(), fee);

emit EUROsBurned(_amount, fee);

}

Impact

While this vulnerability doesn't result in fund loss for the victim or any direct advantage for the attacker, it can significantly disrupt off-chain representations of the current minted EUROs. This discrepancy could lead to a poor user experience due to misleading or falsified data representations.

Proof of Concept

The Foundry test demonstrating the disruption of the SmartVaultV3::minted storage variable is expected to be found here.

Recommended Mitigation

To address this issue, it's essential to restrict the burning of EUROs to only the owner by adding the SmartVaultV3::onlyOwner modifier:

- function burn(uint256 _amount) external ifMinted(_amount) {

+ function burn(uint256 _amount) external onlyOwner ifMinted(_amount) {

uint256 fee = _amount * ISmartVaultManagerV3(manager).burnFeeRate() / ISmartVaultManagerV3(manager).HUNDRED_PC();

minted = minted - _amount;

EUROs.burn(msg.sender, _amount);

IERC20(address(EUROs)).safeTransferFrom(msg.sender, ISmartVaultManagerV3(manager).protocol(), fee);

emit EUROsBurned(_amount, fee);

}

Tools Used

Manual Review

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

access-control

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.