Omniscia Nexera Audit

FractionERC20PausableDataManager Manual Review Findings

FractionERC20PausableDataManager Manual Review Findings

FEP-01M: Inexistent Override of Burn / Mint Capabilities

Description:

The FractionERC20PausableDataManager contract implementation does not override the relevant OmnichainERC20Burnable and OmnichainERC20Mintable burn and mint capabilities, permitting sensitive functionality such as FractionERC20DataManager::partiallyUnlockWrappedAssets to remain accessible in a paused state.

Impact:

We consider this issue to be of medium severity as an attempted recovery from a malicious account (i.e. after an exploit and consequent pause of the system) can be sabotaged by the malicious party burning all their funds.

Example:

contracts/dataManagers/fractionalizers/ERC20Fraction/FractionERC20PausableDataManager.sol
41/// @inheritdoc OmnichainERC20Transfers
42function transfer(address to, uint256 amount) public virtual override(IERC20, OmnichainERC20Transfers) onlyNotPausedTransfers(to) returns (bool) {
43    return super.transfer(to, amount);
44}
45

46/// @inheritdoc OmnichainERC20Transfers
47function transferFrom(
48    address from,
49    address to,
50    uint256 amount
51) public virtual override(IERC20, OmnichainERC20Transfers) onlyNotPausedTransfers(to) returns (bool) {
52    return super.transferFrom(from, to, amount);
53}
54

55/// @inheritdoc OmnichainERC20Transfers
56function transfer(
57    OmnichainAddress to,
58    uint256 amount
59) public payable virtual override(OmnichainERC20Transfers) onlyNotPausedOmnichainTransfers(to) returns (bool) {
60    return super.transfer(to, amount);
61}
62

63/// @inheritdoc OmnichainERC20Transfers
64function transferFrom(
65    address from,
66    OmnichainAddress to,
67    uint256 amount
68) public payable virtual override(OmnichainERC20Transfers) onlyNotPausedOmnichainTransfers(to) returns (bool) {
69    return super.transferFrom(from, to, amount);
70}

Recommendation:

As the system indicates that the pausability feature is meant to be utilized in tandem with a recovery mechanism (i.e. FractionERC20PausableRecoveryDataManager), we advise the relevant burn and mint capabilities to be overridden.

Alleviation:

The relevant mint and burn capabilities have been overridden as advised, alleviating this exhibit.

FEP-02M: Insufficient Override of Omnichain Transfer Capabilities

TypeSeverityLocation
Logical FaultFractionERC20PausableDataManager.sol:
I-1: L56-L61
I-2: L64-L70

Description:

The FractionERC20PausableDataManager contract fails to override the OmnichainERC20Transfers::transfer(OmnichainAddress,uint256,address) and OmnichainERC20Transfers::transferFrom(address,OmnichainAddress,uint256,address) function signatures, thereby failing to prevent transfers when they are invoked.

Impact:

Transfers through the OmnichainERC20Transfers functions that contain an explicit refund address bypass pausability restrictions, permitting the pause security feature of the system to be circumvented.

Example:

contracts/dataManagers/fractionalizers/ERC20Fraction/FractionERC20PausableDataManager.sol
55/// @inheritdoc OmnichainERC20Transfers
56function transfer(
57    OmnichainAddress to,
58    uint256 amount
59) public payable virtual override(OmnichainERC20Transfers) onlyNotPausedOmnichainTransfers(to) returns (bool) {
60    return super.transfer(to, amount);
61}
62

63/// @inheritdoc OmnichainERC20Transfers
64function transferFrom(
65    address from,
66    OmnichainAddress to,
67    uint256 amount
68) public payable virtual override(OmnichainERC20Transfers) onlyNotPausedOmnichainTransfers(to) returns (bool) {
69    return super.transferFrom(from, to, amount);
70}

Recommendation:

We advise them to be properly overridden similarly to the FractionERC1155PausableDataManager contract implementation.

Alleviation:

All omnichain transfer variants are properly overridden in the updated implementation, alleviating this exhibit.

Prev

FractionERC1155PausableDataManager.sol (FEG-M)

Next

OmnichainERC20Transfers.sol (OEC-M)

On this page