All deposited user assets may be drained #211
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-b
Q-22
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L80-L83
Vulnerability details
Impact
All deposited user assets may be drained.
Proof of Concept
Deposited user assets can be withdrawn by Collateral.sol#managerWithdraw:
All deposited assets can be drained easily and quickly if admin account(ADMIN_ROLE) is leaked or manager accounts(MANAGER_WITHDRAW_ROLE, SET_MANAGER_ROLE) are leaked.
All the hacker has to do is set the manager(to his EOA) and ManagerWithdrawHook (to 0), and then invoke managerWithdrawHook to transfer all base tokens stored in the contract to his account.
Tools Used
Manual
Recommended Mitigation Steps
We should make manager and managerWithdrawHook immutable, their addresses are set to deployed open source contracts when the contract is created so that no one can change them.
The text was updated successfully, but these errors were encountered: