The current method of market creation involves calling Factory.createMarket() with a list of approved _conditions and _references accounts. If a registered template address has templates[address(_template)].isOpen == true, then any user is able to call createMarket() using this template. If the template points to PoolTemplate.sol, then a malicious market creator can abuse PoolTemplate.initialize() as it makes a vault deposit from an account that they control. The vulnerable internal function, _depositFrom(), makes a vault deposit from the _references[4] address (arbitrarily set to an approved reference address upon market creation).
Hence, if approved _references accounts have set an unlimited approval amount for Vault.sol before deploying their market, a malicious user can frontrun market creation and cause these tokens to be transferred to the incorrect market.
This issue can cause honest market creators to have their tokens transferred to an incorrectly configured market, leading to unrecoverable funds. If their approval to Vault.sol was set to the unlimited amount, malicious users will also be able to force honest market creators to transfer more tokens than they would normally want to allow.
After discussions with the sponsor, they have opted to parse a _creator address to PoolTemplate.sol which will act as the depositor and be set to msg.sender in Factory.createMarket(). This will prevent malicious market creators from forcing vault deposits from unsuspecting users who are approved in Factory.sol and have also approved Vault.sol to make transfers on their behalf.
Handle
leastwood
Vulnerability details
Impact
The current method of market creation involves calling
Factory.createMarket()
with a list of approved_conditions
and_references
accounts. If a registered template address hastemplates[address(_template)].isOpen == true
, then any user is able to callcreateMarket()
using this template. If the template points toPoolTemplate.sol
, then a malicious market creator can abusePoolTemplate.initialize()
as it makes a vault deposit from an account that they control. The vulnerable internal function,_depositFrom()
, makes a vault deposit from the_references[4]
address (arbitrarily set to an approved reference address upon market creation).Hence, if approved
_references
accounts have set an unlimited approval amount forVault.sol
before deploying their market, a malicious user can frontrun market creation and cause these tokens to be transferred to the incorrect market.This issue can cause honest market creators to have their tokens transferred to an incorrectly configured market, leading to unrecoverable funds. If their approval to
Vault.sol
was set to the unlimited amount, malicious users will also be able to force honest market creators to transfer more tokens than they would normally want to allow.Proof of Concept
https://github.com/code-423n4/2022-01-insure/blob/main/contracts/Factory.sol#L158-L231
https://github.com/code-423n4/2022-01-insure/blob/main/contracts/PoolTemplate.sol#L178-L221
Tools Used
Manual code review. Discussions with kohshiba.
Recommended Mitigation Steps
After discussions with the sponsor, they have opted to parse a
_creator
address toPoolTemplate.sol
which will act as the depositor and be set tomsg.sender
inFactory.createMarket()
. This will prevent malicious market creators from forcing vault deposits from unsuspecting users who are approved inFactory.sol
and have also approvedVault.sol
to make transfers on their behalf.