Active Boosts

#37452 [SC-Critical] `trove-manager-contract.redeem_collateral_from_trove` can be locked forever

Submitted on Dec 5th 2024 at 04:07:57 UTC by @jasonxiale for IOP | Fluid Protocol

  • Report ID: #37452

  • Report Type: Smart Contract

  • Report severity: Critical

  • Target: https://github.com/Hydrogen-Labs/fluid-protocol/tree/main/contracts/trove-manager-contract/src/main.sw

  • Impacts:

    • Permanent freezing of funds

Description

Brief/Intro

trove-manager-contract.redeem_collateral_from_trove is used to redeem USDF for other collaterals, in current implementation, there is an early return that doesn' set the lock variable to false, leading trove-manager-contract.redeem_collateral_from_trove to be DOSed forever.

Vulnerability Details

trove-manager-contract.redeem_collateral_from_trove will call trove-manager-contract.internal_redeem_collateral_from_trove, in trove-manager-contract.internal_redeem_collateral_from_trove, to prevent reentrancy, the function will first make sure lock_internal_redeem_collateral_from_trove isn't set, and then set the variable in trove-manager-contract#L789-L797.

If lock_internal_redeem_collateral_from_trove has already been set, the function will revert with msg "TroveManager: Internal redeem collateral from trove is locked".

Then at the end of the function, lock_internal_redeem_collateral_from_trove will be cleared.

The issue is that there is an early return in trove-manager-contract#L819-L822, and before the return, lock_internal_redeem_collateral_from_trove isn't cleared

Impact Details

If the early return happens, the redeem_collateral_from_trove will be DOSed forever.

References

Add any relevant links to documentation or code

Proof of Concept

Proof of Concept

Please put the following code in contracts/protocol-manager-contract/tests/success_redemptions.rs and run

In the POC, two redeem transactions are submited, the first is used to make internal_redeem_collateral_from_trove return early(which means lock_internal_redeem_collateral_from_trove isn't cleared, and the second redeem transaction will revert with "TroveManager: Internal redeem collateral from trove is locked"`

Previous#37425 [SC-Insight] redeem collateral does not redeem collateral from riskiest trove but wrongly redNext#37595 [SC-Insight] `require_caller_is_bo_or_tm_or_sp_or_pm` did not emit correct message

Last updated

Was this helpful?