-
Notifications
You must be signed in to change notification settings - Fork 8
ctf_sec - curve admin can drain pool via reentrancy (equal to execute emergency withdraw and rug tokenmak fund by third party) #862
Comments
1 comment(s) were left on this issue during the judging contest. Trumpero commented:
|
Escalate as the protocol docs mentioned https://audits.sherlock.xyz/contests/101
in the issue got exploit in this report, user from tokenmak lose fund as well |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Hi @JeffCX, based on this comment of sponsors in the contest channel, I think this issue should be marked as low/invalid: |
Sponsor said emergency withdrawal or pause is an unacceptable risk. Did you read it as "acceptable" sir? |
Some discussion is happening #899 but this is a separate external integration risk than the balancer one that can impact tokemak user :) and don't think this is a known issue |
Thank you very much! 😄🎉!! |
Yes, you are right |
Planning to accept escalation and label issue as valid |
thanks👍🙏 |
@Trumpero would you agree with high severity? |
No I think it should be medium since it assume the curve admin become malicious |
Agree with medium, #570 similar finding about external admin turn into malicious risk is marked as medium as well |
Result: |
Escalations have been resolved successfully! Escalation status:
|
ctf_sec
high
curve admin can drain pool via reentrancy (equal to execute emergency withdraw and rug tokenmak fund by third party)
Summary
curve admin can drain pool via reentrancy (equal to execute emergency withdraw and rug tokenmak fund)
Vulnerability Detail
A few curve liquidity is pool is well in-scope:
one of the pool is 0x21E27a5E5513D6e65C4f830167390997aA84843a
https://etherscan.io/address/0x21E27a5E5513D6e65C4f830167390997aA84843a#code#L1121
Admin of curve pools can easily drain curve pools via reentrancy or via the
withdraw_admin_fees
function.if admin of the curve can set a receiver to a malicious smart contract and reenter withdraw_admin_fees a 1000 times to drain the pool even the admin_balances is small
the line of code
trigger the reentrancy
This is a problem because as stated by the tokemak team:
As you can see above, pausing or emergency withdrawals are not acceptable, and this is possible for cuve pools so this is a valid issue according to the protocol and according to the read me
Impact
curve admins can drain pool via reentrancy
Code Snippet
https://etherscan.io/address/0x21E27a5E5513D6e65C4f830167390997aA84843a#code#L1121
Tool used
Manual Review
Recommendation
N/A
The text was updated successfully, but these errors were encountered: