Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User able deposit one token and withdraw another type, causing some critical problem in future #210

Closed
code423n4 opened this issue Dec 15, 2022 · 3 comments
Closed

User able deposit one token and withdraw another type, causing some critical problem in future #210

code423n4 opened this issue Dec 15, 2022 · 3 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-462 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards upgraded by judge Original issue severity upgraded from QA/Gas by judge

Comments

@code423n4
Copy link
Contributor

code423n4 commented Dec 15, 2022
edited

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L44-L51
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L65-L72

Vulnerability details

Impact

When one token is to collapsed, attacker can front-runned and deposit one token(That about to collapse) and withdraw other token.
This senario also possible when 2 token supported by this contract but due to some reason they have price difference between them, so mallicious user take advantage of it deposit less valuable token, withdraw expensive one, that will affect normal users experience.

Proof of Concept

Another Issue here i notice that, after depositing one type token, user can able to withdraw any other type of listed token(because in withdrawing case it only check caller's tigris stable token balance and burn those, in return transfer same amount of listed tokens).
May be its a feature.

But As we recently notice many stable coin collapsed (like UST and other), so it may possible that a coin that listed in that platform on the verge of collapse so users may get deposit their token to this platform(contract) in return get other stable token,

Let USDT is about to collapse(Hypothetically)
I deposit() 1000 USDT and withdraw out 1000 DAI
In this way i'm stealing other users funds

Obviously I notice there is a delisting option delistToken() available for owner to delist a token any time, but that can be front-runned

    function deposit(address _token, uint256 _amount) public {  
        require(allowed[_token], "Token not listed");
        IERC20(_token).transferFrom(_msgSender(), address(this), _amount);
        IERC20Mintable(stable).mintFor(
            _msgSender(),
            _amount*(10**(18-IERC20Mintable(_token).decimals()))
        );
    }

    function withdraw(address _token, uint256 _amount) external returns (uint256 _output) {
        IERC20Mintable(stable).burnFrom(_msgSender(), _amount);
        _output = _amount/10**(18-IERC20Mintable(_token).decimals());
        IERC20(_token).transfer(
            _msgSender(),
            _output
        );
    }

Tools Used

Manual Review

Recommended Mitigation Steps

May be you should mint different type of tigris stable token for different type of erc20 like other popular platfoms like aave and many more,
or made some logic change
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 15, 2022
code423n4 added a commit that referenced this issue Dec 15, 2022
@code423n4
0xhacksmithh issue #210
d4766db
@code423n4 code423n4 changed the title deposit() function of Contract StableVault.sol can be bypass using USDT token and User able deposit one token and withdraw another type, causing some critical problem in future User able deposit one token and withdraw another type, causing some critical problem in future Dec 15, 2022
@c4-judge
Copy link
Contributor

GalloDaSballo marked the issue as duplicate of #462

@c4-judge
Copy link
Contributor

GalloDaSballo changed the severity to 3 (High Risk)

@c4-judge c4-judge added 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Dec 20, 2022
@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jan 22, 2023
@c4-judge
Copy link
Contributor

GalloDaSballo marked the issue as satisfactory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-462 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards upgraded by judge Original issue severity upgraded from QA/Gas by judge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@code423n4 @c4-judge