New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lack of access control for ClearingHouse.sol#safeTransferFrom and lack of validation for payment token when settling the auction #110
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-521
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Jan 10, 2023
Picodes marked the issue as duplicate of #564 |
Picodes marked the issue as satisfactory |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Feb 15, 2023
c4-judge
added
downgraded by judge
Judge downgraded the risk level of this issue
and removed
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
labels
Feb 23, 2023
Picodes changed the severity to QA (Quality Assurance) |
c4-judge
added
the
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
label
Feb 23, 2023
c4-judge
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
and removed
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
labels
Feb 24, 2023
This previously downgraded issue has been upgraded by Picodes |
Picodes marked the issue as not a duplicate |
Picodes marked the issue as duplicate of #521 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-521
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/ClearingHouse.sol#L169
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/ClearingHouse.sol#L123
Vulnerability details
Impact
Lack of access control for ClearingHouse.sol#safeTransferFrom and lack of validation for payment token when settling the auction
Proof of Concept
The function ClearingHouse#safeTransferFrom is meant to settle the auction but the function severely lack of access control
which calls:
An adversay can exploit the lack of input validation for encodedMetaData, which can derive the payment token address
the payment token address here should match the settlement token.
We can look into the liquidation flow:
first, the liquidate function is called in AstariaRouter.sol
then function auctionVault is called in CollateralToken
the function _generateValidOrderParameters is important:
note the first consideration item:
the settlementToken is set when the order is created, which matching the underlying token in ERC4626 vault, but when the auction is settled, there is no such validation to make sure the derived payment token match the settlementToken.
Now we can formalize a exploit path:
the third parameter identifier is decoded as the worthless token.
Tools Used
Manual Review
Recommended Mitigation Steps
We recommend the protocol validate the caller of the safeTransferFrom in ClearingHouse is the seaport / conduict contract and validate the payment token that settle the auction match the settlement ERC20 token in the CollateralToken and ERC46262 vault underlying asset.
The text was updated successfully, but these errors were encountered: