New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Doubling of KIBToken balances #25
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-3
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Feb 22, 2023
GalloDaSballo marked the issue as primary issue |
c4-judge
added
the
primary issue
Highest quality submission among a set of duplicates
label
Feb 23, 2023
Example of a short and sweet description with good POC |
This was referenced Feb 23, 2023
c4-judge
added
duplicate-3
and removed
primary issue
Highest quality submission among a set of duplicates
labels
Feb 26, 2023
GalloDaSballo marked the issue as duplicate of #3 |
Removed primary due to inaccuracy in statements |
GalloDaSballo marked the issue as satisfactory |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Feb 26, 2023
m19 marked the issue as sponsor confirmed |
c4-sponsor
added
the
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
label
Feb 28, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-3
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/main/src/kuma-protocol/KIBToken.sol#L276-L292
Vulnerability details
Impact
The
KIBToken._transfer
function overrides theERC20Upgradeable._transfer
function and adds custom logic.The modified function looks like this:
It can be seen that while performing the transfer of
amount
tokens, the function cache the token balances offrom
andto
in temporary variables. These cached values do not represent the actual balances of accounts in an edge case.This implementation of _transfer function can be exploited by any KIBToken holder by passing their own address as the
to
parameter. When thefrom
andto
parameters are equal the function simply doubles the balance of that respective account. So any token holder holdingx
token at the start of function invocation will have2x
token at the end of invocation.The bug can be repeated infinitely to gain a huge KIBToken token balance. This huge token balance can be used to drain assets from other contracts of the protocol, as well as to drain liquidity pools of KIBToken.
Proof of Concept
This test case was added to
test/kuma-protocol/kib-token/KIBToken.transfer.t.sol
and ran usingforge test -m test_audit
.Tools Used
Forge
Recommended Mitigation Steps
Consider adding a check
require(from != to)
in the_transfer
function. Or, always try to reference the storage parameters directly instead of storing values in temporary variables.The text was updated successfully, but these errors were encountered: