Arbitrary zeroExTradeData
calldata to the exchange router may result in loss of fund for the borrower
#384
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-110
edited-by-warden
partial-50
Lines of code
https://github.com/debtdao/Line-of-Credit/blob/f32cb3eeb08663f2456bf6e2fba21e964da3e8ae/contracts/utils/SpigotedLineLib.sol#L135
Vulnerability details
Impact
During trading
claimToken
withtargetToken
, the calldata provided for the 0x router is an arbitrary data that can be provided by the borrower or lender.https://github.com/debtdao/Line-of-Credit/blob/f32cb3eeb08663f2456bf6e2fba21e964da3e8ae/contracts/utils/SpigotedLineLib.sol#L135
If lender provides the calldata so that that more
claimToken
is consumed than expected, the borrower is impacted (loses some fund).Proof of Concept
If a lender (malicious) would like to claim and repay, the flow is as follows:
claimAndRepay(address claimToken, bytes calldata zeroExTradeData)
=>function _claimAndTrade(address claimToken, address targetToken, bytes calldata zeroExTradeData)
=>function claimAndTrade(address claimToken, address targetToken, address payable swapTarget, address spigot, uint256 unused, bytes calldata zeroExTradeData)
=>function trade(uint256 amount, address sellToken, address payable swapTarget, bytes calldata zeroExTradeData)
https://github.com/debtdao/Line-of-Credit/blob/f32cb3eeb08663f2456bf6e2fba21e964da3e8ae/contracts/modules/credit/SpigotedLine.sol#L93
https://github.com/debtdao/Line-of-Credit/blob/f32cb3eeb08663f2456bf6e2fba21e964da3e8ae/contracts/modules/credit/SpigotedLine.sol#L187
https://github.com/debtdao/Line-of-Credit/blob/f32cb3eeb08663f2456bf6e2fba21e964da3e8ae/contracts/utils/SpigotedLineLib.sol#L53
https://github.com/debtdao/Line-of-Credit/blob/f32cb3eeb08663f2456bf6e2fba21e964da3e8ae/contracts/utils/SpigotedLineLib.sol#L120
Assuming the
targetToken
is DAI, andclaimToken
is USDC, if the calldatazeroExTradeData
is something that calls the functionbuy 100 DAI for any amount of USDC
instead ofbuy 100 DAI for maximum amount of 105 USDC
, it is highly possible that more than 105 USDC will be consumed to trade for 100 DAI. In this case, the borrower loses moreclaimToken
than expected.In summary, since the calldata is arbitrary, the lender can put these data
buy X targetToken for any amount of claim token
orsell X claimToken for any amount of targetToken
, in both cases the borrower may lose fund. While the correct call data is:buy X targetToken for max Y claimToken
orsell X claimToken for min Y targetToken
.Tools Used
Recommended Mitigation Steps
The calldata
zeroExTradeData
should be set in advance that which function of the router is going to be called. For example in case of uniswap router, it should beabi.encodeWithSignature("swapExactTokensForTokens(uint256,uint256,address[],address,uint256)", amountIn, amountOutMin, path, to, dedline)
. In which theamountIn
andamountOutMin
should be a factor of each other so the borrower will not lose revenue token a lot.The text was updated successfully, but these errors were encountered: