this asset is malicious token contract of attacker. so attacker can construct this contract maliciously in a way that when it interact with transferFrom function of that contract it will transfers users assets to attacker address.
Impact:
users assets can be lost
Recommendation:
add allowedAssets and allowedDebtAsset to verify allowed assets before deploying vaults.
Severity
High
Affected Contracts
Chief.sol BorrowingVaultFactory.sol BorrowingVault.sol
Description
Attacker can stole user assets by deploying vault using malicious token because fuji is not checking valid
assets
ordebtAsset
.deployVault()
haspermissionlessDeployments
, so when it is true anyone can deploy vaults.https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/Chief.sol#L205-L226
it calls
deployVault()
function ofBorrowingFactory.sol
orYieldVaultFactory.sol
and it used to deploy vault.users interact with
borrow()
function of vault,borrow()
function internally calls_borrow()
and in that it callssafeTransfer
on the given asset.https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/vaults/borrowing/BorrowingVault.sol#L221-L239
https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/vaults/borrowing/BorrowingVault.sol#L434-L452
https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/vaults/borrowing/BorrowingVault.sol#L449
this asset is malicious token contract of attacker. so attacker can construct this contract maliciously in a way that when it interact with
transferFrom
function of that contract it will transfers users assets to attacker address.Impact:
users assets can be lost
Recommendation:
add
allowedAssets
andallowedDebtAsset
to verify allowed assets before deploying vaults.