A call to an arbitrary contract with custom calldata is made in arbitraryCall(address who, bytes memory data), which means the contract can be an ERC20 token, and the calldata can be transferFrom a previously approved user.
Impact
The wallet balances (for the amount up to the allowance limit) of the tokens that users approved to the Stream contract can be stolen.
Handle
Jujic
Vulnerability details
A call to an arbitrary contract with custom calldata is made in
arbitraryCall(address who, bytes memory data)
, which means the contract can be anERC20
token, and thecalldata
can betransferFrom
a previously approved user.Impact
The wallet balances (for the amount up to the allowance limit) of the tokens that users approved to the
Stream
contract can be stolen.Proof of Concept
https://github.com/code-423n4/2021-11-streaming/blob/56d81204a00fc949d29ddd277169690318b36821/Streaming/src/Locke.sol#L743
The attacker create Stream contract on the Factory and malicious ERC20 contract
Bob has approved 1000 tokens on Stream contract
Attacker call function:
As a result, 1000 token will be stolen from Bob and sent to the attacker.
Tools Used
Remix
Recommended Mitigation Steps
You can remove this dangerous function from the protocol.