Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

berndartmueller - Previous yield distributor can drain collected fees #37

Closed
sherlock-admin opened this issue Oct 28, 2022 · 2 comments
Closed

berndartmueller - Previous yield distributor can drain collected fees #37

sherlock-admin opened this issue Oct 28, 2022 · 2 comments
Labels
Disagree With Severity Has Duplicates Medium

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Oct 28, 2022
edited by Evert0x
Loading

berndartmueller

high

Previous yield distributor can drain collected fees

Summary

The yield distributor has the maximum token spending allowance for the HardenedTopupProxy.sol and ExchangeProxy contracts. However, when setting a new and different yield distributor, the old yield distributor still has the maximum spending allowance and can drain all collected fees.

Vulnerability Detail

When setting a new yield distributor with the setYieldDistributor function in both the HardenedTopupProxy.sol and ExchangeProxy contracts, the yield distributor address will have the ERC-20 token with the address _tokenAddress approved with the maximum allowance ALLOWANCE_SIZE = type(uint256).max as a spender.

If the contract admin changes the current yield distributor to a different address, the previous address still has the spending allowance. This means that the previous yield distributor can spend the tokens from both contracts.

Impact

A previously set yield distributor continues to have the ERC-20 token spending allowance and can drain the collected fees.

Code Snippet

ExchangeProxy.setYieldDistributor

function setYieldDistributor(address _tokenAddress, address _distributorAddress) public onlyAdmin {
    yieldDistributorAddress = _distributorAddress;
    // only yield to be redistributed should be present on this contract in baseAsset (or other tokens if swap fees)
    // so no access to lp tokens for the funds invested
    resetAllowanceIfNeeded(IERC20(_tokenAddress), _distributorAddress, ALLOWANCE_SIZE);
}

HardenedTopupProxy.setYieldDistributor

function setYieldDistributor(address _tokenAddress, address _distributorAddress) public onlyAdmin {
    yieldDistributorAddress = _distributorAddress;
    // only yield to be redistributed should be present on this contract balance in baseAsset
    resetAllowanceIfNeeded(IERC20Upgradeable(_tokenAddress), _distributorAddress, ALLOWANCE_SIZE);
}

Tool Used

Manual Review

Recommendation

Consider removing the call to the resetAllowanceIfNeeded function within the two setYieldDistributor functions and only let the current yield distributor claim fees via the provided claimFees function.
This was referenced Oct 28, 2022
Closed
Closed
@McMannaman
Copy link

I think that it's a low vulnerability (user funds are not affected by this and fees are harvested from time to time anyway in the normal flow of operation).
But, regardless -- this issue has a valid point.

This was referenced Oct 29, 2022
Closed
Closed
Open
@Evert0x Evert0x removed the Duplicate label Nov 1, 2022
@Evert0x Evert0x reopened this Nov 1, 2022
@Evert0x Evert0x mentioned this issue Nov 1, 2022
Closed
@Evert0x
Copy link
Contributor

Evert0x commented Nov 4, 2022

A compromised, or misconfigured yield distributor address is not considered a medium severity

@Evert0x Evert0x closed this as completed Nov 4, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Disagree With Severity Has Duplicates Medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@McMannaman @hrishibhat @Evert0x @sherlock-admin