-
Notifications
You must be signed in to change notification settings - Fork 0
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Selftransfer increases balance by sent amount. #496
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-299
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
itsmetechjay
added
bug
Something isn't working
3 (High Risk)
Assets can be stolen/lost/compromised directly
labels
Oct 24, 2022
Warden submitted issue via email to sockdrawermoney prior to contest close due to login issues over the weekend |
Duplicate: #266 |
Dup of #299 |
GalloDaSballo marked the issue as not a duplicate |
GalloDaSballo marked the issue as duplicate of #299 |
Simon-Busch
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Dec 5, 2022
Marked this issue as Satisfactory as requested by @GalloDaSballo |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-299
satisfactory
satisfies C4 submission criteria; eligible for awards
Link to code
https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBToken.sol#L176::L196
Impact
When a malicious user decides to send LBTokens to their own address they will increase their own balance by the sent amount.
Vulnerable function
_transfer
is reachable via the public functionssafeBatchTransferFrom
andsafeTransferFrom
.L187 effectively saves
_toBalance
before_fromBalance
is adjusted.If
_from
==_to
attackers can effectively double their balance.The step can be endlessly repeated and leads to complete loss of value of whatever the LBToken represents.
Proof of concept
See recommended mitigation.
Recommended Mitigation Steps
Ensure that _from != _to in
_transfer
function.Add below code to test/LBToken.t.sol in order to catch regressions once the bug is fixed (test also works as proof of concept).
Code
Output
The text was updated successfully, but these errors were encountered: