Compromised owner is capable of draining all user's fund after user gives token allowance to TransferProxy.sol #52
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-a
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/scripts/deployments/Deploy.sol#L377
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/TransferProxy.sol#L33
Vulnerability details
Impact
Compromised owner is capable of draining all user's fund after user gives token allowance to TransferProxy.sol
Proof of Concept
The TransferProxy.sol is important because it helps moving the fund around in AuctionHouse, AstariaRouter and in LienToken.
As we can see, this function below is powerful. It is likely that user will give the max token allowance to the contract TransferProxy, otherwise, transaction would revert in AuctionHouse.sol, LienToken and in AuctionHouse.
Well, note that the requiresAuth modifier is used in the function tokenTransferFrom, this access control model means that only specific address set up by admin can call this function.
If the admin is compromised, the admin can authorize malicious contract that can drain all the token fund from user by calling the above tokenTransferFrom after user gives token allowance to TransferProxy.sol
Because the requiresAuth modifier calls:
which calls:
The auth.canCall is called in MultiRolesAuthority.sol, as shown in the Deploy.sol script
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/scripts/deployments/Deploy.sol#L118
And the relevent authorization is granted by calling:
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/scripts/deployments/Deploy.sol#L377
and
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/scripts/deployments/Deploy.sol#L410
by calling:
A compromised admin can call:
and
Then the malicious_contract_or_account address has permission to call tokenTransferFrom, which drains user token after user gives token allowance to TransferProxy.sol. ALl he needs to do is that set the token to token that he wants to transfer and steal, the address from is victim's address, the address to is the recipient (hacker's address), the amount is how much he wants to transfer and drain.
The reference (relevant )code for MultiRolesAuthority in solmate:
https://github.com/transmissions11/solmate/blob/main/src/test/MultiRolesAuthority.t.sol
Tools Used
Manual review
Recommended Mitigation Steps
Only use safeIncreaseAllowance to give minimum approval to move the fund around, use multisig to safeguard to admin address for
The text was updated successfully, but these errors were encountered: