Malicious protocol owner can steal all users funds (Centralization risk) #153
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-377
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/b2ebb8ea1def4927a747e7a185174892506540ab/contracts/Trading.sol#L926-L933
Vulnerability details
Impact
The Tigris protocol does not have enough boundary conditions that prevent a malicious owner to steal users' funds.
By using some
onlyOwner
actions, it is possible, for example, to callTrading.setMaxWinPercent
to any arbitrary value, including one greater than 100%, which would make it possible to open a position and close it with an arbitrarily high payout, allowing it to steal all the vault's funds.Even if we trust the protocol owner, we believe this is an unnecessary and serious centralization risk. A malicious or compromised owner address can take advantage of this, and steal all the funds from the protocol.
Proof of Concept
Trading.setMaxWinPercent
, setting the max win percent as an extremely large number, enough to empty the whole vault.Tools Used
Manual analysis
Recommended Mitigation Steps
Impose boundary checks for all owner-controlled actions. For example, a maximum value for
maxWinPercent
. Review other functions withonlyOwner
modifier and validate if the scope of these actions can be limited in order to reduce the damage of a potential incident.The text was updated successfully, but these errors were encountered: