Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-onboarded term can be offboarded instantly #874

Closed
c4-bot-5 opened this issue Dec 28, 2023 · 4 comments
Closed

Re-onboarded term can be offboarded instantly #874

c4-bot-5 opened this issue Dec 28, 2023 · 4 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-1147 satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-5
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L154
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L197

Vulnerability details

Impact

There can be a situation where an offboarded term has been re-onboarded without a cleanup, that term can be offboarded instantly, without a 7 day vote.

Proof of Concept

In order to offboard a term users need to start a 7 day voting in the LendingTermOffboarding.sol, after it succeeded we set canOffboard[term] = true
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L139
and anyone can call offboard function to remove the gauge from the active list
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L153

    function offboard(address term) external whenNotPaused {
        require(canOffboard[term], "LendingTermOffboarding: quorum not met");

        // update protocol config
        // this will revert if the term has already been offboarded
        // through another mean.
        GuildToken(guildToken).removeGauge(term);

        // pause psm redemptions
        if (
            nOffboardingsInProgress++ == 0 &&
            !SimplePSM(psm).redemptionsPaused()
        ) {
            SimplePSM(psm).setRedemptionsPaused(true);
        }

        emit Offboard(block.timestamp, term);
    }

Later this gauge can be re-onboarded with the LendingTermOnboarding.sol, unfortunately canOffboard flag isn't reset for the re-onboarded term and it can be offboarded again by anyone without a vote. To set this flag to false we need to execute a cleanup function
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L197
but this requirement indicates that it is not necessary to call this function if we plan to re-onboard the term
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L181-L184
It is worth noting that the nOffboardingsInProgress counter is also not updated, which can create problems with following requirement in the future
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/governance/LendingTermOffboarding.sol#L191-L195

Check this test case for LendingTermOffboarding.t.sol 

    function testInstantOffboardAfterReonboard() public {
        // prepare (1)
        guild.mint(bob, _QUORUM);
        vm.startPrank(bob);
        guild.delegate(bob);
        uint256 snapshotBlock = block.number;
        offboarder.proposeOffboard(address(term));
        vm.roll(block.number + 1);
        vm.warp(block.timestamp + 13);
        offboarder.supportOffboard(snapshotBlock, address(term));
        offboarder.offboard(address(term));
        vm.stopPrank();

        // re-onboard
        guild.addGauge(1, address(term));

        // offboard without voting
        offboarder.offboard(address(term));
    }

Tools Used

Foundry

Recommended Mitigation Steps

Set canOffboard[term] to false and decrement nOffboardingsInProgress if the gauge was previously removed

Assessed type

Governance
@c4-bot-5 c4-bot-5 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 28, 2023
c4-bot-1 added a commit that referenced this issue Dec 28, 2023
@c4-bot-1
SpicyMeatball issue #874
5bf9128
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Jan 4, 2024
@c4-pre-sort
Copy link

0xSorryNotSorry marked the issue as duplicate of #1147

@c4-judge
Copy link
Contributor

Trumpero marked the issue as duplicate of #1141

@c4-judge c4-judge added duplicate-1141 satisfactory satisfies C4 submission criteria; eligible for awards and removed duplicate-1147 labels Jan 25, 2024
@c4-judge
Copy link
Contributor

Trumpero marked the issue as satisfactory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-1147 satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-pre-sort @c4-bot-5