Open code423n4 opened 2 years ago
I don't see a way that results in tokens being held in VaultHelper but I agree it should be documented as in Manager.sol and MetaVaultNonConverter.sol I believe this issue should be labeled as non-critical and documentation.
Agree with Non-Critical Severity, this is a documentation issue and is a contract feature, not flaw
Handle
hrkrshnn
Vulnerability details
VaultHelper contract should never have tokens at the end of a transaction
The VaultHelper should not hold tokens at any point of time. Doing so makes the tokens available for anyone to withdraw.
Here's an example exploit allowing an attacker to withdraw any tokens that the
VaultHelper
contains. Assume that theVaultHelper
holds a token namedExampleToken
.Step 1
Deploy contracts with the following interfaces:
Step 2
Attacker calls
withdrawVault(address(FakeVault), address(ExampleToken), 0)
.This transfers all of
_toToken
to the attacker.The project seems to explicitly specify when a contract is not supposed to hold tokens. For example, in MetaVaultNonConverter.sol or Manager.sol. In the absence of such a remark, it is assumed that the contract is safe to hold tokens, which is incorrect, in this case.
Recommended Mitigation Steps
Document that the
VaultToken
is not supposed to hold tokens.