Public to all funds escape #277
Comments
code423n4
added
3 (High Risk)
|
Picodes marked the issue as primary issue |
c4-judge
added
the
primary issue
|
As only stuck funds are at risk, and as the aggregator contract itself is not supposed to handle funds, I don't think this qualify for High Severity |
c4-judge
added
2 (Med Risk)
|
Picodes changed the severity to 2 (Med Risk) |
c4-judge
added
the
selected for report
|
Picodes marked the issue as selected for report |
|
We have decided that any ERC20 tokens sent there accidentally are free for all |
|
0xhiroshi marked the issue as sponsor disputed |
c4-sponsor
added
the
sponsor disputed
|
Keeping the medium severity because the contract implements |
c4-judge
added
the
satisfactory
|
Picodes marked the issue as satisfactory |
Lines of code
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/TokenRescuer.sol#L22
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/TokenRescuer.sol#L34
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L27
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L108
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L109
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L245
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/lowLevelCallers/LowLevelETH.sol#L43
Vulnerability details
Description
The
LooksRareAggregatorsmart contract implements a bunch of functions to escape funds by the contract owner (seerescueETH,rescueERC20,rescueERC721, andrescueERC1155). In this way, any funds that were accidentally sent to the contract or were locked due to incorrect contract implementation can be returned to the owner. However, locked funds can be rescued by anyone without the owner's permission. This is completely contrary to the idea of having rescue functions.In order to withdraw funds from the contract, a user may just call the
executefunction in theERC20EnabledLooksRareAggregatorwithtokenTransfersthat contain the addresses of tokens to be withdrawn. Thus, after the order execution_returnERC20TokensIfAnyand_returnETHIfAnywill be called, and the whole balance of provided ERC20 tokens and Ether will be returned tomsg.sender.Please note, that means that the owner can be front-ran with
rescuefunctions and an attacker will receive funds instead.Impact
Useless of rescue functionality and vulnerability to jamming funds.
Recommended Mitigation Steps
_returnETHIfAnyand_returnERC20TokensIfAnyshould return the amount of the token that was deposited.The text was updated successfully, but these errors were encountered: