Hacked admin or malicious admin can immediately steal all baseToken in Collateral #117
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-254
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L80-L83
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L85-L88
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L112-L115
Vulnerability details
Impact
Hacked admin or malicious admin can immediately steal all baseToken that users deposit in Collateral.
If Collateral is deployed as a upgradable proxy, the collateral contract admin could also steal all assets approved to this contract address.
Proof of Concept
Hacked admin or malicious admin can steal the assets by following these steps:
Collateral.setManagerWithdrawHook()
with_newManagerWithdrawHook = 0
to disable ManagerWithdrawHook.Collateral.setManager()
with_newManager = X
.Collateral.managerWithdraw()
to transfer all baseToken to X. (becase managerWithdrawHook is 0 and manager is X now)If Collateral is deployed as a proxy(like uups, 1967), the proxy admin could steal all baseToken in this contract and all assets approved to this contract by upgrading Collateral to a new malicious contract.
Tools Used
VS Code
Recommended Mitigation Steps
For the Collateral contract, the following change is recommended:
managerWithdrawHook
should be set to a valid contract atinitialize()
Collateral.managerWithdraw()
for some time when eithermanagerWithdrawHook
ormanager
changes.For proxy contract, two options are recommended:
The text was updated successfully, but these errors were encountered: