User able deposit one token and withdraw another type, causing some critical problem in future #210
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-462
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L44-L51
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L65-L72
Vulnerability details
Impact
When one token is to collapsed, attacker can front-runned and deposit one token(That about to collapse) and withdraw other token.
This senario also possible when 2 token supported by this contract but due to some reason they have price difference between them, so mallicious user take advantage of it deposit less valuable token, withdraw expensive one, that will affect normal users experience.
Proof of Concept
Another Issue here i notice that, after depositing one type token, user can able to withdraw any other type of listed token(because in withdrawing case it only check caller's
tigris stable token
balance and burn those, in return transfer same amount of listed tokens).May be its a feature.
But As we recently notice many stable coin collapsed (like UST and other), so it may possible that a coin that listed in that platform on the verge of collapse so users may get deposit their token to this platform(contract) in return get other stable token,
Let USDT is about to collapse(Hypothetically)
I deposit() 1000 USDT and withdraw out 1000 DAI
In this way i'm stealing other users funds
Obviously I notice there is a delisting option
delistToken()
available for owner to delist a token any time, but that can be front-runnedTools Used
Manual Review
Recommended Mitigation Steps
May be you should mint different type of tigris stable token for different type of erc20 like other popular platfoms like aave and many more,
or made some logic change
The text was updated successfully, but these errors were encountered: