New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
'buyAndReduceDebt()' will always revert if called with a fee parameter set #20
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-196
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Dec 17, 2022
Seems like non-core functionality may be impaired. Will let sponsor weigh in. |
trust1995 marked the issue as satisfactory |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Dec 25, 2022
trust1995 marked the issue as primary issue |
c4-judge
added
the
primary issue
Highest quality submission among a set of duplicates
label
Dec 25, 2022
This was referenced Dec 25, 2022
Yup. Big miss on our part |
wilsoncusack marked the issue as sponsor confirmed |
c4-sponsor
added
the
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
label
Jan 3, 2023
C4-Staff
added a commit
that referenced
this issue
Jan 6, 2023
JeeberC4 marked the issue as duplicate of #196 |
C4-Staff
added
duplicate-196
and removed
primary issue
Highest quality submission among a set of duplicates
labels
Jan 10, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-196
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/with-backed/papr/blob/9528f2711ff0c1522076b9f93fba13f88d5bd5e6/src/PaprController.sol#L208-L232
Vulnerability details
Impact
There is a bug in
PaprController.buyAndReducedebt()
in which a caller-set fee is incorrectly transfered viatransfer()
to the fee receiver. Because thePaprController.sol
won't be holding any underlying tokens this transaction will always revert when the fee is set. The fee should be paid by themsg.sender
and not by the protocol.We can see above that if
hasFee == true
, which is inputted by the caller,amountIn * params.swapFeeBips / BIPS_ONE
amount of underlying tokens are transferred to a fee receiver, also inputted by the caller.This fee is sent out to
params.swapfeeTo
:underlying.transfer(params.swapFeeTo, amountIn * params.swapFeeBips / BIPS_ONE);
Because the
PaprController.sol
contract won't be holding any underlying token, this transfer would always revert the whole transaction with Arithmetic underflow since theERC20.transfer()
function is trying to substract the fee amount from 0:If
PaprController.sol
would ever be holding the underlying token it would be possible to drain it immediately but because this is not the case and user funds are not at direct risk I will report this as Medium.Proof of Concept
Modifying the
test/paprController/BuyAndReduceDebt.t.sol
contract functiontestBuyAndReduceDebtReducesDebt()
so that the fee is something more than zero will point out the issue.Bob wants to call
PaprController.buyAndReduceDebt()
function with a fee sent to a specific address but because of the issue at hand the transaction would revert.Tools Used
Manual review with VS Code.
Recommended Mitigation Steps
Use the
safeTransferFrom()
function fromSafeTransferLib.sol
instead oftransfer()
. This way the fees will be transferred frommsg.sender
toswapFeesTo
and would revert on failure.The text was updated successfully, but these errors were encountered: