Attacker can empty the underlying tokens from the PaprController. #174
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-196
edited-by-warden
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L226
Vulnerability details
The bug exists in the
buyAndReduceDebt
function.The expected value
params.swapFeeBips
should be ≤BIPS_ONE
.Here the
params.swapFeeBips
value is not checked to be less than or equal toBIPS_ONE
. An attacker can set the value ofparams.swapFeeBips
to be very high andparams.swapFeeTo
to be their own address. It is possible to set these values such that the attacker transfers nearly all the underlying tokens to themselves in a transaction.POC
A quick POC in foundry :
BuyAndReduceDebt.t.sol
to the code below.forge test --match-contract BuyAndReduceDebt -vvv
Output:
Impact
The attacker was able to steal almost all the underlying tokens from the contract.
Recommendations
Add a check in
buyAndReduceDebt
function:The text was updated successfully, but these errors were encountered: