VAULT CAN BE CREATED FOR NOT-YET-EXISTING ERC20 TOKENS, WHICH ALLOWS ATTACKERS TO SET TRAPS TO STEAL NFTs FROM BORROWERS #158

code423n4 · 2023-01-12T12:32:57Z

Lines of code

Vulnerability details

Impact

There is a subtle difference between the implementation of solmate’s SafeTransferLib and OZ’s SafeERC20: OZ’s SafeERC20 checks if the token is a contract or not, solmate’s SafeTransferLib does not.
See: https://github.com/Rari-Capital/solmate/blob/main/src/utils/SafeTransferLib.sol#L9
Note that none of the functions in this library check that a token has code at all! That responsibility is delegated to the caller.
As a result, when the token’s address has no code, the transaction will just succeed with no error.
This attack vector was made well-known by the qBridge hack back in Jan 2022.

In AstariaRouter, Vault, PublicVault, VaultImplementation, ClearingHouse, TransferProxy, and WithdrawProxy, the safetransfer and safetransferfrom don't check the existence of code at the token address. This is a known issue while using solmate’s libraries.

Hence this can lead to miscalculation of funds and also loss of funds , because if safetransfer() and safetransferfrom() are called on a token address that doesn’t have contract in it, it will always return success. Due to this protocol will think that funds has been transferred and successful , and records will be accordingly calculated, but in reality funds were never transferred.
So this will lead to miscalculation and loss of funds.

Attack scenario (example):

It’s becoming popular for protocols to deploy their token across multiple networks and when they do so, a common practice is to deploy the token contract from the same deployer address and with the same nonce so that the token address can be the same for all the networks.
A sophisticated attacker can exploit it by taking advantage of that and setting traps on multiple potential tokens to steal from the borrowers. For example: 1INCH is using the same token address for both Ethereum and BSC; Gelato's $GEL token is using the same token address for Ethereum, Fantom and Polygon.

ProjectA has TokenA on another network;
ProjectB has TokenB on another network;
ProjectC has TokenC on another network;
A malicious strategist (Bob) can create new PublicVaults with amounts of 10000E18 for TokenA, TokenB, and TokenC.
A few months later, ProjectB lunched TokenB on the local network at the same address;
Alice as a liquidator deposited 11000e18 TokenB into the vault;
The attacker (Bob) can withdraw to receive most of Alice added TokenB.

Proof of Concept

Tools Used

Manual Audit

Recommended Mitigation Steps

This issue won’t exist if OpenZeppelin’s SafeERC20 is used instead.

The text was updated successfully, but these errors were encountered:

c4-judge · 2023-01-23T16:44:38Z

Picodes marked the issue as primary issue

androolloyd · 2023-01-25T17:55:51Z

the protocol has no enforcement of the assets that can be listed, only tokens that are known should be interacted with by users and UI implementations.

c4-sponsor · 2023-01-27T03:33:37Z

SantiagoGregory marked the issue as sponsor confirmed

c4-judge · 2023-02-19T16:21:26Z

Picodes changed the severity to 2 (Med Risk)

c4-judge · 2023-02-19T16:21:39Z

Picodes marked the issue as satisfactory

c4-judge · 2023-02-19T16:21:43Z

Picodes marked the issue as selected for report

Picodes · 2023-02-24T09:29:49Z

Keeping this report as medium due to the credibility of the attack path described

code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jan 12, 2023

code423n4 added a commit that referenced this issue Jan 12, 2023

pwnforce issue #158

072366d

c4-judge added the primary issue Highest quality submission among a set of duplicates label Jan 23, 2023

This was referenced Jan 23, 2023

SOLMATE SAFETRANSFER AND SAFETRANSFERFROM DOES NOT CHECK THE CODESIZE OF THE TOKEN ADDRESS, WHICH MAY LEAD TO FUND LOSS #113

Open

Solmate's SafeTransferLib does not check for token contract's existence #242

Open

c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jan 27, 2023

c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Feb 19, 2023

c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 19, 2023

c4-judge added the selected for report This submission will be included/highlighted in the audit report label Feb 19, 2023

C4-Staff added the M-25 label Feb 28, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

VAULT CAN BE CREATED FOR NOT-YET-EXISTING ERC20 TOKENS, WHICH ALLOWS ATTACKERS TO SET TRAPS TO STEAL NFTs FROM BORROWERS #158

VAULT CAN BE CREATED FOR NOT-YET-EXISTING ERC20 TOKENS, WHICH ALLOWS ATTACKERS TO SET TRAPS TO STEAL NFTs FROM BORROWERS #158

code423n4 commented Jan 12, 2023

c4-judge commented Jan 23, 2023

androolloyd commented Jan 25, 2023

c4-sponsor commented Jan 27, 2023

c4-judge commented Feb 19, 2023

c4-judge commented Feb 19, 2023

c4-judge commented Feb 19, 2023

Picodes commented Feb 24, 2023

VAULT CAN BE CREATED FOR NOT-YET-EXISTING ERC20 TOKENS, WHICH ALLOWS ATTACKERS TO SET TRAPS TO STEAL NFTs FROM BORROWERS #158

VAULT CAN BE CREATED FOR NOT-YET-EXISTING ERC20 TOKENS, WHICH ALLOWS ATTACKERS TO SET TRAPS TO STEAL NFTs FROM BORROWERS #158

Comments

code423n4 commented Jan 12, 2023

Lines of code

Vulnerability details

Impact

Attack scenario (example):

Proof of Concept

Tools Used

Recommended Mitigation Steps

c4-judge commented Jan 23, 2023

androolloyd commented Jan 25, 2023

c4-sponsor commented Jan 27, 2023

c4-judge commented Feb 19, 2023

c4-judge commented Feb 19, 2023

c4-judge commented Feb 19, 2023

Picodes commented Feb 24, 2023