Via deposit() function user can deposit one token to contract and able to withdraw another type of token from contract that may cause some critical problem in future #243
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-462
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L44-L51
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L65-L72
Vulnerability details
Impact
This scenario will have impact when there are multiple token listed to this platform, and due to some reason they have price difference among them. Malicious user simply deposit less valuable token to this platform and withdraw more valuable token from this contract.
Another situation when a stable coin is on verge of collapse(recently happen with UST), Users can front-run delistToken() function by owner and deposit their collapsing token withdraw other token, that will cause other users to suffer from token loss.
Proof of Concept
After depositing one type token, user can able to withdraw any other type of listed token(because in withdrawing case it only check caller's
tigris stable token
balance and burn those, in return transfer same amount of listed tokens).Let USDT and DAI have some price difference because DAI is collapsing(Hypothetically)
I deposit() 1000 DAI
Contract mint back 1000 tigris stable token
I notice price difference
I call withdraw() with 1000 tigris stable token with USDT address
Successfully withdraw 1000 USDT
By making these transaction i'm stealing other users funds
There is a delisting option
delistToken()
available for owner to delist a token any time, but that can be front-runnedTools Used
Manual Review
Recommended Mitigation Steps
Should mint separate tigris stable token for different listed token like other protocol,
Like aave mints different aToken for different listed token.
The text was updated successfully, but these errors were encountered: