search

code-423n4 / 2021-12-yetifinance-findings

0 stars 0 forks source link

Wrapped JLP can be stolen #208

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

cmichel

Vulnerability details

The WJLP.wrap function accepts a from parameter and a to parameter. The tokens are transferred from the from account to the to account:

function wrap(uint _amount, address _from, address _to, address _rewardOwner) external override {
    // @audit can frontrun and steal => use from=victim, to=attacker
    JLP.transferFrom(_from, address(this), _amount);
    JLP.approve(address(_MasterChefJoe), _amount);

    // stake LP tokens in Trader Joe's.
    // In process of depositing, all this contract's
    // accumulated JOE rewards are sent into this contract
    _MasterChefJoe.deposit(_poolPid, _amount);

    // update user reward tracking
    _userUpdate(_rewardOwner, _amount, true);
    _mint(_to, _amount);
}

When a user wants to wrap their JLP tokens, they first need to approve the contracts with their token and in a second transaction call the wrap function. However, an attacker can frontrun the actual wrap function and call their own wrap(from=victim, to=attacker) which will make the victim pay with their approved tokens but the WJLP are minted to the attacker.

Impact

WJLP tokens can be stolen.

Recommended Mitigation Steps

Always transfer from msg.sender instead of using a caller-provided from parameter.

kingyetifinance commented 2 years ago

@LilYeti : Duplicate #58

alcueca commented 2 years ago

Taking as main