Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All deposited user assets may be drained #211

Open
code423n4 opened this issue Dec 12, 2022 · 5 comments
Open

All deposited user assets may be drained #211

code423n4 opened this issue Dec 12, 2022 · 5 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b Q-22 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L80-L83

Vulnerability details

Impact

All deposited user assets may be drained.

Proof of Concept

Deposited user assets can be withdrawn by Collateral.sol#managerWithdraw:

  function managerWithdraw(uint256 _amount)
    external
    override
    onlyRole(MANAGER_WITHDRAW_ROLE)
    nonReentrant
  {
    if (address(managerWithdrawHook) != address(0)) {
      managerWithdrawHook.hook(msg.sender, _amount, _amount);
    }
    baseToken.transfer(manager, _amount);
  }

All deposited assets can be drained easily and quickly if admin account(ADMIN_ROLE) is leaked or manager accounts(MANAGER_WITHDRAW_ROLE, SET_MANAGER_ROLE) are leaked.

All the hacker has to do is set the manager(to his EOA) and ManagerWithdrawHook (to 0), and then invoke managerWithdrawHook to transfer all base tokens stored in the contract to his account.

Tools Used

Manual

Recommended Mitigation Steps

We should make manager and managerWithdrawHook immutable, their addresses are set to deployed open source contracts when the contract is created so that no one can change them.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Dec 12, 2022
code423n4 added a commit that referenced this issue Dec 12, 2022
@code423n4
wait issue #211
e95698b
@Picodes
Copy link

Picodes commented Dec 13, 2022
edited

This is a centralization issue, and a design choice, although it's right that it should be properly documented and disclosed

@c4-judge
Copy link
Contributor

Picodes changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Dec 13, 2022
c4-judge added a commit that referenced this issue Dec 13, 2022
@c4-judge
Q-report created from downgraded finding #211
36005f5
@c4-judge c4-judge mentioned this issue Dec 13, 2022
Closed
@c4-judge
Copy link
Contributor

Picodes marked the issue as grade-b

@c4-sponsor
Copy link

davidprepo marked the issue as sponsor disputed

@c4-sponsor c4-sponsor added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Dec 22, 2022
@ramenforbreakfast
Copy link

Disputing this issue because it is just pointing out 1 centralization issue that has already been mentioned by countless other more thorough submissions.

@C4-Staff C4-Staff added the Q-22 label Jan 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b Q-22 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ramenforbreakfast @Picodes @code423n4 @c4-judge @c4-sponsor @C4-Staff