Open code423n4 opened 2 years ago
frank-beard
commented
2 years ago For now we are only concerned with 'Defi Safe' tokens that conform to the erc-20 standard. It is expected that publishers and users should do due diligence when adding assets to a basket
GalloDaSballo
commented
2 years ago Finding is valid, a little generic but in line with other wardens findings
GalloDaSballo
commented
2 years ago After further review, because of a lack of any specific substance, am downgrading this to non-critical
Handle
0xRajeev
Vulnerability details
Impact
The protocol allows listing of arbitrary tokens in baskets and bounties. Without a whitelist or vetting of tokens, an attacker (publisher or bounty creator) can add malicious basket/bounty token whose implementation does not really transfer any tokens at all, could execute reentrancies or execute arbitrary code. For example, without checking token balances before/after transfers to verify that the expected amount was indeed transferred, the basket/bounty logic could be unreliable.
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Factory.sol#L65-L91
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Auction.sol#L126-L138
https://medium.com/electric-capital/derisking-defi-guarded-launches-2600ce730e0a
Tools Used
Manual Analysis
Recommended Mitigation Steps
Consider a guarded launch with initial whitelisted tokens for baskets and bounties and for later, add defensive logic with reentrancy guards and checks for token balances before/after transfers.