Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AccountingManager is not ERC4626 compliant #1419

Open
c4-bot-2 opened this issue May 17, 2024 · 6 comments
Open

AccountingManager is not ERC4626 compliant #1419

c4-bot-2 opened this issue May 17, 2024 · 6 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-136 grade-a partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%) QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_16_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-2
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-04-noya/blob/9c79b332eff82011dcfa1e8fd51bad805159d758/contracts/accountingManager/AccountingManager.sol#L693-L707
https://github.com/code-423n4/2024-04-noya/blob/9c79b332eff82011dcfa1e8fd51bad805159d758/contracts/accountingManager/AccountingManager.sol#L304
https://github.com/code-423n4/2024-04-noya/blob/9c79b332eff82011dcfa1e8fd51bad805159d758/contracts/accountingManager/AccountingManager.sol#L200

Vulnerability details

As stated in the README, the AccountingManager should comply with the ERC4626 standard, but it currently does not.

Impact

Vault does not conform to ERC4626 which may break external integrations.

Proof of Concept

Functions:

  1. Deposit and Mint Functions:
    • ERC-4626 Functions:
      • deposit(uint256 assets, address receiver)
      • mint(uint256 shares, address receiver)
    • AccountingManager:
      • The AccountingManager contract overrides these functions but reverts with NoyaAccounting_NOT_ALLOWED.
      • The contract has its custom deposit function, but it takes three parameters (address receiver, uint256 amount, address referrer) instead of the ERC-4626 standard two parameters (uint256 assets, address receiver).
  2. Withdraw and Redeem Functions:
    • ERC-4626 Functions:
      • withdraw(uint256 assets, address receiver, address owner)
      • redeem(uint256 shares, address receiver, address owner)
    • AccountingManager:
      • Similar to the deposit and mint functions, the AccountingManager overrides these functions but reverts with NoyaAccounting_NOT_ALLOWED.
      • The contract has its custom withdraw function, but it only takes two parameters (uint256 share, address receiver), whereas the ERC-4626 standard requires three parameters (uint256 assets, address receiver, address owner).
      • The AccountingManager.withdraw function is actually aERC4626.redeem function. The reason for this is it receives uint256 share as a parameter when it should instead receive uint256 assets.

Tools Used

Manual Review

Recommended Mitigation Steps

Modify the AccountingManager functions to comply with the ERC4626 standard.

Assessed type

ERC4626
@c4-bot-2 c4-bot-2 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 17, 2024
@c4-bot-13 c4-bot-13 added the 🤖_16_group AI based duplicate group recommendation label May 17, 2024
@c4-pre-sort
Copy link

DadeKuma marked the issue as duplicate of #136

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label May 20, 2024
@c4-pre-sort
Copy link

DadeKuma marked the issue as sufficient quality report

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jun 2, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Jun 2, 2024

gzeon-c4 changed the severity to QA (Quality Assurance)

jacobheun pushed a commit that referenced this issue Jun 4, 2024
@c4-bot-2
TPSec issue #1419
fa6636b
@d3e4 d3e4 mentioned this issue Jun 5, 2024
Closed
@c4-judge c4-judge reopened this Jun 9, 2024
@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Jun 9, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Jun 9, 2024

This previously downgraded issue has been upgraded by gzeon-c4

@c4-judge c4-judge closed this as completed Jun 9, 2024
@c4-judge c4-judge added the partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%) label Jun 9, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Jun 9, 2024

gzeon-c4 marked the issue as partial-25

@c4-judge
Copy link
Contributor

c4-judge commented Jun 9, 2024

gzeon-c4 changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jun 9, 2024
@c4-judge c4-judge mentioned this issue Jun 9, 2024
Closed
@C4-Staff C4-Staff reopened this Jun 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-136 grade-a partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%) QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_16_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@c4-judge @c4-pre-sort @C4-Staff @c4-bot-2 @c4-bot-13