-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PrivatePool owner can steal all ERC20 and NFT from user via arbitrary execution #184
Comments
0xSorryNotSorry marked the issue as high quality report |
0xSorryNotSorry marked the issue as primary issue |
outdoteth marked the issue as sponsor confirmed |
Fixed in: outdoteth/caviar-private-pools#2 The proposed fix is to revert if execute tries to call the if (target == address(baseToken) || target == address(nft)) revert InvalidTarget(); |
@outdoteth Wouldn't the owner be the one owning all of the deposited assets anyway? |
@GalloDaSballo The exploit is not about the owner having ownership over owned deposits but rather about stealing non-deposited user funds. For example,
Alice has now lost all of her Miladies. The same also applies to baseToken approvals when Alice wants to buy some NFTs. The proposed fix is to prevent "execute()" from being able to call the |
Thank you @outdoteth for clarifying |
The Warden has shown how, because of the I have considered downgrading the finding because of the Router technically providing a safety check against the pool However, I believe that the risky pattern of direct approvals to the pool is demonstrated by the pull transfer performed by the FlashLoan function: ERC721(token).safeTransferFrom(address(receiver), address(this), tokenId);
For that call to work, the user / user-contract will have to have approved the pool directly For this reason I agree with High Severity |
GalloDaSballo marked the issue as selected for report |
Lines of code
https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L459
Vulnerability details
Impact
PrivatePool owner can steal all ERC20 and NFT from user via arbitrary execution.
Proof of Concept
In the current implementation of the PrivatePool.sol, the function execute is meant to claim airdrop, however, we cannot assume the owner is trusted because anyone can permissionlessly create private pool.
the owner of private pool can easily steal all ERC20 token and NFT from the user's wallet after user give approval to the PrivatePool contract and the user has to give the approval to the pool to let the PrivatePool pull ERC20 token and NFT from the user when user buy or sell or change from EthRouter or directly calling PrivatePool,
the POC below shows, the owner of the PrivatePool can carefully crafting payload to steal fund via arbitrary execution.
after user's apporval, the target can be a ERC20 token address or a NFT address, the call data can be the payload of transferFrom or function.
Please add the code to Execute.t.sol so we can create a mock token
Please add the POC below to Execute.t.sol
We run the POC, the output is
As we can see, the victim's ERC20 token are stolen.
Tools Used
Manual Review
Recommended Mitigation Steps
We recommend the protocol not let the private pool owner perform arbtirary execution, the private pool can use the flashloan to claim the airdrop himself.
The text was updated successfully, but these errors were encountered: