Skip to content
This repository has been archived by the owner on Jul 21, 2024. It is now read-only.

0x52 - Funding#requestWithdraw uses incorrect withdraw address #53

Open
sherlock-admin opened this issue Jan 18, 2024 · 5 comments
Open

0x52 - Funding#requestWithdraw uses incorrect withdraw address #53

sherlock-admin opened this issue Jan 18, 2024 · 5 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jan 18, 2024
edited
Loading

0x52

medium

Funding#requestWithdraw uses incorrect withdraw address

Summary

When requesting a withdraw, msg.sender is used in place of the from address. This means that withdraws cannot be initiated on behalf of other users. This will break integrations that depend on this functionality leading to irretrievable funds.

Vulnerability Detail

Funding.sol#L69-L82

function requestWithdraw(
    Types.State storage state,
    address from,
    uint256 primaryAmount,
    uint256 secondaryAmount
)
    external
{
    require(isWithdrawValid(state, msg.sender, from, primaryAmount, secondaryAmount), Errors.WITHDRAW_INVALID);
    state.pendingPrimaryWithdraw[msg.sender] = primaryAmount;
    state.pendingSecondaryWithdraw[msg.sender] = secondaryAmount;
    state.withdrawExecutionTimestamp[msg.sender] = block.timestamp + state.withdrawTimeLock;
    emit RequestWithdraw(msg.sender, primaryAmount, secondaryAmount, state.withdrawExecutionTimestamp[msg.sender]);
}

As shown above the withdraw is accidentally queue to msg.sender NOT the from address. This means that all withdraws started on behalf of another user will actually trigger a withdraw from the operator. The result is that withdraw cannot be initiated on behalf of other users, even if the allowance is set properly, leading to irretrievable funds

Impact

Requesting withdraws for other users is broken and strands funds

Code Snippet

Funding.sol#L69-L82

Tool used

Manual Review

Recommendation

Change all occurrences of msg.sender in stage changes to from instead.
@github-actions github-actions bot added Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jan 22, 2024
This was referenced Jan 22, 2024
Closed
Closed
Closed
@sherlock-admin2
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid because { This is valid and a dupp of 082 with minimal impact}

@JoscelynFarr JoscelynFarr added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Jan 23, 2024
JoscelynFarr pushed a commit to JOJOexchange/smart-contract-EVM that referenced this issue Jan 26, 2024
Fixed issue 53: sherlock-audit/2023-12-jojo-exchange-update-judging#53
82b5c85
@sherlock-admin sherlock-admin changed the title Hot Infrared Starling - Funding#requestWithdraw uses incorrect withdraw address 0x52 - Funding#requestWithdraw uses incorrect withdraw address Jan 27, 2024
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jan 27, 2024
@nevillehuang nevillehuang mentioned this issue Jan 27, 2024
Closed
@detectiveking123
Copy link
Collaborator

@nevillehuang do you believe this has enough impact to be considered valid?

@JoscelynFarr
Copy link

Fixed PR: JOJOexchange/smart-contract-EVM@82b5c85

@IAm0x52
Copy link
Collaborator

IAm0x52 commented Feb 4, 2024

Fix looks good. Now uses from instead of msg.sender

@nevillehuang
Copy link
Collaborator

nevillehuang commented Feb 5, 2024
edited
Loading

@detectiveking123 @JoscelynFarr #30 (comment)

@Czar102 Czar102 mentioned this issue Feb 10, 2024
Closed
coin96 pushed a commit to coin96/smart-contract-EVM that referenced this issue Apr 29, 2024
@universal9622
Fixed issue 53: sherlock-audit/2023-12-jojo-exchange-update-judging#53
133c3ae
Tvenus added a commit to Tvenus/smart-contract-EVM that referenced this issue May 27, 2024
@Tvenus @universal9622
Fixed issue 53: sherlock-audit/2023-12-jojo-exchange-update-judging#53
0a86253
Omokami added a commit to Omokami/smart-contract-EVM that referenced this issue May 30, 2024
@Omokami @universal9622
Fixed issue 53: sherlock-audit/2023-12-jojo-exchange-update-judging#53
6e4889b
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@nevillehuang @sherlock-admin @IAm0x52 @JoscelynFarr @sherlock-admin2 @detectiveking123