Rebasing Token's increased token amount will be locked up forever #223
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-47
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L55-L56
https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/interfaces/ISizeSealed.sol#L77-L78
Vulnerability details
Impact
Tokens such as Aave aTokens are rebasing token where its token amount will increase over time.
Since
SizeSealed
contract reference deposited token amount from user input, any token amount that increased over timewill not be referenced which means increased token amount will be locked in the contract forever.
Also since
SizeSealed
contract has no limitation for what token can be used asbaseToken
andquoteToken
, this issuefalls for both
baseToken
andquoteToken
.aTokens reference:
https://edge.app/blog/company-news/interest-bearing-tokens-in-edge-atokens-ctokens/
Proof of Concept
Any token can be specified for both
baseToken
andquoteToken
atcreateAuction
function.https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L55-L56
https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/interfaces/ISizeSealed.sol#L77-L78
createAuction
function:Auction seller sending its specified basetoken amount to
SizeSealed
contract.https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L56
https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/interfaces/ISizeSealed.sol#L80
https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L98-L100
finalize
function:When token are sent back to seller, the token amount is referenced from the
totalBaseAmount
which was specified by theseller when executing
createAuction
function, meaning that any increased token amount is ignored.https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L217-322
cancelAuction
function:Same as
finalize
function explained above.https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L391-L392
https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L409
bid
function:Bidder sending its specified quoteAmount amount to
SizeSealed
contract.https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L124
https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L163
refund
function:When token are sent back to bidder, the token amount is referenced from the
quoteAmount
which was specified by thebidder when executing
bid
function, meaning that any increased token amount is ignored.https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L336-L338
https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L351
withdraw
function:Same as
refund
function explained above.https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L376-L381
cancelBid
function:Same as
refund
function explained above.https://github.com/code-423n4/2022-11-size/blob/706a77e585d0852eae6ba0dca73dc73eb37f8fb6/src/SizeSealed.sol#L439
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add whitelist logic to limit what kind of token is allowed to set as
baseToken
andquoteToken
ortrack total amount currently deposited and allow seller/bidder to withdraw token amount that increased over time.
The text was updated successfully, but these errors were encountered: