GalloDaSballo
commented
2 years ago Definitely a feature of the protocol at this time I'll leave as Low Severity, personally would recommend adding a check for Symbol and Name as I've been told Etherscan will simply sort tokens by date rather than by "legitimacy" That said if the sponsor had disputed, this is a property of the system that users need to be aware of
Handle
0xRajeev
Vulnerability details
Impact
The current implementation does not check that tokenName & tokenSymbol are not the same as other ones already registered. This is required to prevent scams from using popular basket names but with random tokens/weights underneath. The only offchain monitoring for baskets is the tokenName emitted.
Exploit scenario: A basket of DeFi tokens lists as DPI and becomes very popular with a large TVL. A malicious publisher creates a basket with questionable DeFi tokens under the same basket token name/symbol of DPI. Users get tricked into depositing with this scam basket instead of the original one and risk losing their funds to underperformance of the duplicate basket token composition.
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Factory.sol#L67-L68
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add logic to check that tokenName & tokenSymbol are not the same as other ones already registered by keeping track of basket token names and symbols.