code-423n4 / 2021-12-amun-findings

0 stars 0 forks source link

With `protectedCall` permission funds of other users can be stolen #250

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

0x0x0x

Vulnerability details

When the diamond has BasketFacet, then following attack is possible:

1- Create a new ERC20 token A with a lot of quantity

2- Lock the basket

3- Send MIN_AMOUNT many token A to the basket

4- Remove all tokens except token A

5- Unlock the basket

6- Call joinPool and with token A’s receive shares from the basket

7- Add all tokens back

8- Exit and profit

As a consequence user funds are lost.

0xleastwood commented 2 years ago

Again, this is part of their threat model. The contract owner is not expected to be malicious. Ideally, this should be documented better. But its entirely possible that the contract owner is a governance framework.