Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The term can be re-onboarded using a not allowed implementation #1231

Open
c4-bot-3 opened this issue Dec 28, 2023 · 8 comments
Open

The term can be re-onboarded using a not allowed implementation #1231

c4-bot-3 opened this issue Dec 28, 2023 · 8 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue edited-by-warden grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons sufficient quality report This report is of sufficient quality

Comments

@c4-bot-3
Copy link
Contributor

c4-bot-3 commented Dec 28, 2023
edited by c4-bot-1
Loading

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/LendingTermOnboarding.sol#L181
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/LendingTermOnboarding.sol#L92

Vulnerability details

Lines of code

Impact

The term can be re-onboarded using the LendingTermOnboarding::proposeOnboard() function, the problem is that the term may be using a implementation which was removed by the LendingTermOnboarding::allowImplementation()

Proof of Concept

Please see the next scenario:

  1. A termA is created using the implementation=address(123).
  2. Time goes by 1 year and the termA is removed using the LendingTermOffboarding.sol contract.
  3. The team found a bug in the implementation=address(123) an the implementation is removed using the LendingTermOnboarding::allowImplementation(address(123), false) function
  4. Time goes by another 6 months an the termA, which is using the implementation=address(123), is re-onboarded using LendingTermOnboarding::proposeOnboard() function. That may be a problem because the active termA may be using an implementation (address(123)) which is not allowed.

Tools used

Manual review

Recommended Mitigation Steps

The term proposed using the LendingTermOnboarding::proposeOnboard() function should be a recent created[term]

    function proposeOnboard(
        address term
    ) external whenNotPaused returns (uint256 proposalId) {
        // Check that the term has been created by this factory
        require(created[term] != 0, "LendingTermOnboarding: invalid term");
++      require(created[term] + MIN_LIVE > block.timestamp);
        // Check that the term was not subject to an onboard vote recently
        require(
            lastProposal[term] + MIN_DELAY_BETWEEN_PROPOSALS < block.timestamp,
            "LendingTermOnboarding: recently proposed"
        );
        lastProposal[term] = block.timestamp;

        // Check that the term is not already active
        // note that terms that have been offboarded in the past can be re-onboarded
        // and won't fail this check. This is intentional, because some terms might be offboarded
        // due to specific market conditions, and it might be desirable to re-onboard them
        // at a later date.
        bool isGauge = GuildToken(guildToken).isGauge(term);
        require(!isGauge, "LendingTermOnboarding: active term");

        // Generate calldata for the proposal
        (
            address[] memory targets,
            uint256[] memory values,
            bytes[] memory calldatas,
            string memory description
        ) = getOnboardProposeArgs(term);

        // propose
        return Governor.propose(targets, values, calldatas, description);
    }

Assessed type

Context
@c4-bot-3 c4-bot-3 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 28, 2023
c4-bot-3 added a commit that referenced this issue Dec 28, 2023
@c4-bot-3
0xbepresent issue #1231
73b6d35
@0xSorryNotSorry
Copy link

While my take is the mitigation might not be a solution for this, it seems that a require statement is not existing as referred in the submission.

@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Jan 1, 2024
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Jan 1, 2024
@c4-pre-sort c4-pre-sort mentioned this issue Jan 1, 2024
Closed
@eswak
Copy link

eswak commented Jan 18, 2024

Acknowledging this, but think this is more fit for QA. The governance can check if a term proposed to be onboarded is using a deprecated implementation or not, and vote in consequence. It's worth doing the fix directly in the code because it's a bit inconsistent with the "first onboarding" flow.

@c4-sponsor c4-sponsor added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Jan 18, 2024
@c4-sponsor
Copy link

eswak (sponsor) acknowledged

@c4-sponsor
Copy link

eswak marked the issue as disagree with severity

@c4-sponsor c4-sponsor added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Jan 18, 2024
@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jan 26, 2024
@c4-judge
Copy link
Contributor

Trumpero changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

Trumpero marked the issue as grade-a

@eswak eswak mentioned this issue Jan 29, 2024
Merged
@Trumpero Trumpero mentioned this issue Jan 31, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue edited-by-warden grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@eswak @0xSorryNotSorry @c4-judge @c4-sponsor @c4-pre-sort @code4rena-admin @c4-bot-3