marketplaces adapter contracts funds can be stolen #2
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-215
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/para-space/paraspace-core/blob/main/contracts/misc/marketplaces/X2Y2Adapter.sol#L88-L100
Vulnerability details
description :
the contract X2Y2Adapter and other adapters forwards arbitrary calls and arbitrary msg.value to arbitrary contracts
Impact
attacker can steal the funds of https://github.com/para-space/paraspace-core/blob/main/contracts/misc/marketplaces/* contracts
Proof of Concept
Funds theft
REMIX IDE
in other file deploy this :
Deploy them both,
with user1 run the "matchAskWithTakerBid" function :
matchAskWithTakerBid(ERC20address,000000000000000000000000881d40237659c251811cec9c364ef91dc08d300c0000000000000000000000000000000000000000000000000000000000000000,1)
with 2 ehters call, the call will be made
the contract will send 1 ether to the example and the other one will remains in X2Y2Adapter contract
As attacker,
create this contract :
On the X2Y2Adapter contract call the "matchAskWithTakerBid" function :
matchAskWithTakerBid(malicious,0x00,1), run it with 0 as msg.value, this will run the Address. functionCallWithValue which eventually forwards the call to the given address
The malicious contract will receive that 1 ether (or whatever balance of the adapter contract)
Tools Used
Manual testing
Recommended Mitigation Steps
make the marketplace contract set by the team, and make the value is the same as the msg.value so there won't be any ethers left on the adapter contract :
The text was updated successfully, but these errors were encountered: