Manager can steal entire User balance #48
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-254
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/Collateral.sol#L80
Vulnerability details
Impact
It seems
MANAGER_WITHDRAW_ROLE
can steal entire user balance ifSET_MIN_RESERVE_PERCENTAGE_ROLE
has setsetMinReservePercentage
to0%
Proof of Concept
SET_MIN_RESERVE_PERCENTAGE_ROLE
role setsminReservePercentage
to 0%MANAGER_WITHDRAW_ROLE
role simply calls themanagerWithdraw
with contract balance as_amount
hook
which allow to withdraw everything above reservegetMinReserve
is implemented as below. Since minReservePercentage is 0 so getMinReserve becomes 0collateral.getReserve() - _amountAfterFee
which is approx entire balance (without fees)Recommended Mitigation Steps
Do not allow
SET_MIN_RESERVE_PERCENTAGE_ROLE
to setsetMinReservePercentage
to 0The text was updated successfully, but these errors were encountered: