strictly-scarce
commented
3 years ago The protocol is not designed to be used by relayers.
Closed code423n4 closed 3 years ago
strictly-scarce
commented
3 years ago The protocol is not designed to be used by relayers.
dmvt
commented
3 years ago duplicate of #217
Handle
jvaqa
Vulnerability details
Impact
transferTo() When Used By A Smart Contract Wallet Tranfers The Relayer's Funds Rather Than The Wallet's Funds.
The transferTo pattern used in Vader.sol, USDV.sol, Synth.sol, Token1.sol, and Token2.sol utilizes tx.origin to determine the sender of tokens. However, smart contract wallets often have a completely unnrelated "relayer" as the actual initiator of the transaction. As written, transferTo would steal the relayer's funds, rather than the smart wallet's funds.
Proof of Concept
Any time a smart contract relayer owns any Vader, USDV, VaderSynths, or other Vader tokens, Alice can call the following line of code from her smart contract wallet that uses that relayer:
transferTo(aliceEOAAddress, balanceOf(relayer));
And Alice will receive the tokens owned by the relayer at her EOA address.
Recommended Mitigation Steps
Remove transferTo() from Vader.sol, USDV.sol, Synth.sol, Token1.sol, and Token2.sol.