Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA report #41

Open
code423n4 opened this issue Feb 22, 2022 · 6 comments
Open

QA report #41

code423n4 opened this issue Feb 22, 2022 · 6 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L311-312

Vulnerability details

Impact

Vault shares and collateral cTokens might be accessed with sweep if a cToken have more than one address.

This will disturb the system accounting. The tokens caller obtained will be at a loss for other safe users who will not be able to receive Fei they own per contract records.

This is a fund loss scenario, but the probability is low as such tokens are rare, so setting severity to medium

Proof of Concept

TurboSafe.sweep controls for one vault and one cTokens address, allowing for sweeping everything else:

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L311-312

Some ERC20 have more than one address they can be operated with:

https://github.com/d-xo/weird-erc20#multiple-token-addresses

Recommended Mitigation Steps

As address control is used consider providing the ability to input a list of asset addresses to prohibit operations with
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Feb 22, 2022
code423n4 added a commit that referenced this issue Feb 22, 2022
@code423n4
hyh issue #41
3659422
@Joeysantoro
Copy link
Collaborator

This is an extremely niche edge case. I'm inclined to think multiple address tokens will not be approved for Turbo. Will contest to low and leave as acknowledged unless @transmissions11 has other ideas

@Joeysantoro Joeysantoro added disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons labels Feb 25, 2022
@transmissions11
Copy link
Collaborator

transmissions11 commented Feb 25, 2022
edited
Loading

Collateral cTokens having multiple addresses is out of scope because we control the Turbo pool and would never make such a token.

As for Vault shares in theory it could be an issue but once again we can vet Vaults to ensure they're not unsafe like this.

@GalloDaSballo
Copy link
Collaborator

I believe the finding to have merit and appreciate the warden's submission.

However I have to agree with the sponsor in that there is no reason to deploy a second cToken with the same underlying and if that were to happen remediation would be very quick.

So I'll mark the finding as valid but non-critical as it technically is correct, could happen but ultimately is not a vulnerability

@GalloDaSballo GalloDaSballo added 0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Mar 13, 2022
@GalloDaSballo GalloDaSballo reopened this Mar 19, 2022
@GalloDaSballo
Copy link
Collaborator

Will judge as a separate report 3/10

@GalloDaSballo
Copy link
Collaborator

Crazy how with the TUSD Compound Disclosure this finding takes a different meaning.

With the additional information I have :
https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2

I believe the finding is of Low Severity and will re-rate to 5/10 as a single QA report.

Ultimately I believe this can happen and if that were the case the finding could have a high impact, however the likelihood is extremely low, and would require the sponsor to mistakenly add a token with multiple address.

@GalloDaSballo GalloDaSballo added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 0 (Non-critical) Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation labels Mar 21, 2022
@CloudEllie
Copy link

Since this issue was downgraded to a QA level, and the warden did not submit a separate QA report, we've renamed this one to "QA report" for consistency.

The original title, for the record, was "TurboSafe.sweep can't control several addresses per token."

@CloudEllie CloudEllie changed the title TurboSafe.sweep can't control several addresses per token QA report Mar 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@GalloDaSballo @transmissions11 @Joeysantoro @code423n4 @CloudEllie