Skip to content
This repository has been archived by the owner on Jul 21, 2024. It is now read-only.

T1MOH - All funds can be stolen from JOJODealer #7

Open
sherlock-admin opened this issue Jan 18, 2024 · 3 comments
Open

T1MOH - All funds can be stolen from JOJODealer #7

sherlock-admin opened this issue Jan 18, 2024 · 3 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jan 18, 2024
edited
Loading

T1MOH

high

All funds can be stolen from JOJODealer

Summary

Funding._withdraw() makes arbitrary call with user specified params. User can for example make ERC20 to himself and steal funds.

Vulnerability Detail

User can specify parameters param and to when withdraws:

    function executeWithdraw(address from, address to, bool isInternal, bytes memory param) external nonReentrant {
        Funding.executeWithdraw(state, from, to, isInternal, param);
    }

In the end of _withdraw() function address to is called with that bytes param:

    function _withdraw(
        Types.State storage state,
        address spender,
        address from,
        address to,
        uint256 primaryAmount,
        uint256 secondaryAmount,
        bool isInternal,
        bytes memory param
    )
        private
    {
        ...

        if (param.length != 0) {
@>          require(Address.isContract(to), "target is not a contract");
            (bool success,) = to.call(param);
            if (success == false) {
                assembly {
                    let ptr := mload(0x40)
                    let size := returndatasize()
                    returndatacopy(ptr, 0, size)
                    revert(ptr, size)
                }
            }
        }
    }

As an attack vector attacker can execute withdrawal of 1 wei to USDC contract and pass calldata to transfer arbitrary USDC amount to himself via USDC contract.

Impact

All funds can be stolen from JOJODealer

Code Snippet

https://github.com/sherlock-audit/2023-12-jojo-exchange-update/blob/ed4a8483da11bcc04ced10de899038bcead087b3/smart-contract-EVM/src/libraries/Funding.sol#L173-L184

Tool used

Manual Review

Recommendation

Don't make arbitrary call with user specified params
@github-actions github-actions bot added High A valid High severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jan 22, 2024
This was referenced Jan 22, 2024
Closed
Closed
Closed
Closed
Closed
Closed
@sherlock-admin2
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid because { This is valid and i can validate it with POC from report 076}

@JoscelynFarr JoscelynFarr added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Jan 23, 2024
JoscelynFarr pushed a commit to JOJOexchange/smart-contract-EVM that referenced this issue Jan 26, 2024
Fixed issue7: sherlock-audit/2023-12-jojo-exchange-update-judging#7
763de53
@JoscelynFarr
Copy link

Fixed PR: JOJOexchange/smart-contract-EVM@763de53

@sherlock-admin sherlock-admin changed the title Glamorous Metal Albatross - All funds can be stolen from JOJODealer T1MOH - All funds can be stolen from JOJODealer Jan 27, 2024
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jan 27, 2024
@IAm0x52
Copy link
Collaborator

IAm0x52 commented Feb 4, 2024

Fix looks good. To must now be a whitelisted contract

coin96 pushed a commit to coin96/smart-contract-EVM that referenced this issue Apr 29, 2024
@universal9622
Fixed issue7: sherlock-audit/2023-12-jojo-exchange-update-judging#7
56def84
Tvenus added a commit to Tvenus/smart-contract-EVM that referenced this issue May 27, 2024
@Tvenus @universal9622
Fixed issue7: sherlock-audit/2023-12-jojo-exchange-update-judging#7
24588de
Omokami added a commit to Omokami/smart-contract-EVM that referenced this issue May 30, 2024
@Omokami @universal9622
Fixed issue7: sherlock-audit/2023-12-jojo-exchange-update-judging#7
0dbf049
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sherlock-admin @IAm0x52 @JoscelynFarr @sherlock-admin2