fix: returnAsset exploit

* test: fix USDC deal problem * test: fix broken tests due to assumptions * test: rm assert condition due to changes in assumption * test: returnAsset attack * test: add comments for commented out code * test: add test for full redeem at different times * feat: add rawCall function for asset manager * fix: rm comments regarding vuln * ci: change fuzz runs to 10K * ci: rm custom fuzz runs * test: rawCall * fix: update error message * test: fix bound too low no interest accrued * test: rm polygon test as USDC doesn't have a master minter role
reservoir-labs · Feb 24, 2024 · dc0f153 · dc0f153
1 parent 5fe192e
commit dc0f153
Show file tree

Hide file tree

Showing 4 changed files with 205 additions and 40 deletions.
diff --git a/src/asset-management/AaveManager.sol b/src/asset-management/AaveManager.sol
@@ -6,6 +6,7 @@ import { Owned } from "solmate/auth/Owned.sol";
 import { FixedPointMathLib } from "solady/utils/FixedPointMathLib.sol";
 import { SafeTransferLib } from "solady/utils/SafeTransferLib.sol";
 import { SafeCast } from "@openzeppelin/utils/math/SafeCast.sol";
+import { Address } from "@openzeppelin/utils/Address.sol";
 
 import { IAssetManagedPair } from "src/interfaces/IAssetManagedPair.sol";
 import { IAssetManager, IERC20 } from "src/interfaces/IAssetManager.sol";
@@ -107,6 +108,13 @@ contract AaveManager is IAssetManager, Owned(msg.sender), ReentrancyGuard {
         emit Thresholds(aLowerThreshold, aUpperThreshold);
     }
 
+    function rawCall(address aTarget, bytes calldata aCalldata, uint256 aValue)
+        external
+        onlyOwner
+        returns (bytes memory)
+    {
+        return Address.functionCallWithValue(aTarget, aCalldata, aValue, "AM: RAW_CALL_REVERTED");
+    }
     /*//////////////////////////////////////////////////////////////////////////
                                 HELPER FUNCTIONS
     //////////////////////////////////////////////////////////////////////////*/
@@ -131,13 +139,6 @@ contract AaveManager is IAssetManager, Owned(msg.sender), ReentrancyGuard {
     {
         rShares = aAmount.mulDivUp(totalShares[aAaveToken], aAaveToken.balanceOf(address(this)));
 
-        uint256 lCurrentShares = shares[aPair][aToken];
-
-        // this is to prevent underflow as we round up in the previous division operation
-        if (rShares > lCurrentShares) {
-            rShares = lCurrentShares;
-        }
-
         shares[aPair][aToken] -= rShares;
         totalShares[aAaveToken] -= rShares;
     }

diff --git a/test/__mocks/ReturnAssetExploit.sol b/test/__mocks/ReturnAssetExploit.sol
@@ -0,0 +1,27 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.0;
+
+import "src/interfaces/IAssetManager.sol";
+import { ReservoirPair } from "src/ReservoirPair.sol";
+import { SafeTransferLib } from "solady/utils/SafeTransferLib.sol";
+
+contract ReturnAssetExploit {
+    using SafeTransferLib for address;
+
+    IERC20 public token0;
+    IERC20 public token1;
+
+    constructor(ReservoirPair aPair) {
+        token0 = aPair.token0();
+        token1 = aPair.token1();
+    }
+
+    function adjustManagement(int256 token0Change, int256 token1Change) external {
+        address(token0).safeTransferFrom(msg.sender, address(this), uint256(-token0Change));
+        address(token1).safeTransferFrom(msg.sender, address(this), uint256(-token1Change));
+    }
+
+    function attack(IAssetManager aAssetManager) external {
+        aAssetManager.returnAsset(false, 123555);
+    }
+}