Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Withdraw function in Astaria Router takes approval for wrong amount leading to possibility of over approvals #467

Closed
code423n4 opened this issue Jan 19, 2023 · 7 comments
Closed

Withdraw function in Astaria Router takes approval for wrong amount leading to possibility of over approvals #467

code423n4 opened this issue Jan 19, 2023 · 7 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-228 satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/AstariaXYZ/astaria-gpl/blob/4b49fe993d9b807fe68b3421ee7f2fe91267c9ef/src/ERC4626RouterBase.sol#L48
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/AstariaRouter.sol#L168
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/PublicVault.sol#L131
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/PublicVault.sol#L163

Vulnerability details

Impact

withdraw() function in Line 168 of AstariaRouter.sol allows vault token owners to withdraw underlying asset from vault. Note that implementation calls the withdraw() function of its parent contract ERC4626RouterBase.sol, refer line 48.

Note that approval is taken for amount instead of maxSharesOut - amount here refers to the actual underlying asset that was deposited in the vault (eg. WETH) and not the shares held by owner.

This function then calls withdraw function in Line 131 of PublicVault.sol. This function reduces allowance of shares that are supposed to be burnt - since the approval was given for amount of underlying asset & not maxShares, this could lead to either over allowance/under allowance situation. Under allowance leads to denial-of-service, over allowance leads to open approvals that were never supposed to be open.

Since this can potentially lead to loss of vault tokens of LPs, I've marked it as HIGH risk

Proof of Concept

  • Bob is a LP who owns 100 shares in vault whose present vaule is 1000 ETH (let's assume each vault share is worth 10 ETH)
  • Bob calls the withdraw function of Astaria Router
  • Bob wants to withdraw 100 WETH by burning a maximum of 10 vault shares
  • Function takes approval for 100 shares instead of 10
  • Even after withdrawal, Bob still unknowingly has given approval to vault to spend 90 more shares representing 900 ETH

Tools Used

Manual

Recommended Mitigation Steps

Change line 48 in ERCRouterBase.sol from

ERC20(address(vault)).safeApprove(address(vault), amount);

to

ERC20(address(vault)).safeApprove(address(vault), maxSharesOut);
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jan 19, 2023
code423n4 added a commit that referenced this issue Jan 19, 2023
@code423n4
0Kage issue #467
9997284
@Picodes Picodes mentioned this issue Jan 23, 2023
Closed
@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Jan 23, 2023
@c4-judge
Copy link
Contributor

Picodes marked the issue as primary issue

@Picodes
Copy link

Picodes commented Jan 23, 2023

Medium risk to me as:

  • Funds are not lost as the user can interact directly with the vault
  • over allowance is not an issue in itself if there is no demonstrated attack path

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Jan 23, 2023
@c4-judge
Copy link
Contributor

Picodes changed the severity to 2 (Med Risk)

@c4-judge c4-judge mentioned this issue Jan 26, 2023
Open
@c4-sponsor
Copy link

SantiagoGregory marked the issue as sponsor confirmed

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Feb 1, 2023
@androolloyd
Copy link

@SantiagoGregory

@c4-judge
Copy link
Contributor

Picodes marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 21, 2023
@c4-judge
Copy link
Contributor

Picodes marked issue #228 as primary and marked this issue as a duplicate of 228

@c4-judge c4-judge added duplicate-228 and removed primary issue Highest quality submission among a set of duplicates labels Feb 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-228 satisfactory satisfies C4 submission criteria; eligible for awards sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@androolloyd @Picodes @code423n4 @c4-judge @c4-sponsor