New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hacked/Malicious owner can steal funds from StableVault
#383
Comments
Will bulk it under the "Admin can Rug via new asser" and ignore the timelock which we dispute as unfalsifiable |
Coded POC -> wins |
GalloDaSballo marked the issue as primary issue |
We are aware of the centralization risks, owner will be a multisig to reduce centralization until owner becomes the dao later. |
TriHaz marked the issue as sponsor acknowledged |
GalloDaSballo marked the issue as duplicate of #377 |
GalloDaSballo marked the issue as satisfactory |
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L78-L83
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L44-L51
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableVault.sol#L65-L72
Vulnerability details
Impact
StableVault
allows users to deposit any token allowed by the owner, and they are minted the stable coin (tigUSD
) in return.However a hacked/malicious owner may, potentially within a single transaction, mint a useless ERC20 token with arbitrarily high initial supply, call
listToken
to allow it to be deposited, calldeposit
to deposit it, receive the minted stable token, and callwithdraw
to use that stable token to withdraw any authentic tokens previously deposited by other users.In this case users would not be able to withdraw the tokens that they deposited, and would only be able to withdraw the useless ERC20 attack token used by the hacked/malicious owner. The fact that this is possible within a single transaction leaves users with no opportunity to avoid their tokens being stolen.
Proof of Concept
The following test was passed within
test/06.StableVault.js
:After the attack, the stable token is backed only by
uselessToken
, making it effectively worthless.UselessToken.sol:
Tools Used
Hardhat
Recommended Mitigation Steps
Implement a timelock for
listToken()
anddelistToken()
, so that users have a window to withdraw their funds before malicious actions become possible.The text was updated successfully, but these errors were encountered: