search

Fujicracy / fuji-v2

Cross-chain money market aggregator
https://fuji-v2-frontend.vercel.app
15 stars 10 forks source link

permissionless vaults: attacker can steal users assets #314

Open rajatbeladiya opened 1 year ago

rajatbeladiya commented 1 year ago

Severity

High

Affected Contracts

Chief.sol BorrowingVaultFactory.sol BorrowingVault.sol

Description

Attacker can stole user assets by deploying vault using malicious token because fuji is not checking valid assets or debtAsset.

deployVault() has permissionlessDeployments, so when it is true anyone can deploy vaults.

https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/Chief.sol#L205-L226

it calls deployVault() function of BorrowingFactory.sol or YieldVaultFactory.sol and it used to deploy vault.

users interact with borrow() function of vault, borrow() function internally calls _borrow() and in that it calls safeTransfer on the given asset.

https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/vaults/borrowing/BorrowingVault.sol#L221-L239

https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/vaults/borrowing/BorrowingVault.sol#L434-L452

https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/vaults/borrowing/BorrowingVault.sol#L449

this asset is malicious token contract of attacker. so attacker can construct this contract maliciously in a way that when it interact with transferFrom function of that contract it will transfers users assets to attacker address.

Impact:

users assets can be lost

Recommendation:

add allowedAssets and allowedDebtAsset to verify allowed assets before deploying vaults.