Open code423n4 opened 2 years ago
This is true, but is within the acceptable risk model.
While I agree with the warden, this assumes that the admin acts maliciously. As such, I think medium
risk is more in line with a faulty governance.
I still relatively disagree with severity, as with #26 faulty governance is an acceptable risk parameter. Though we should have been more clear that this is the case!
I agree with you fully here, but again it comes down to the judging guidelines which might change in the future. The stated attack vector has stated assumptions which leads to a loss of funds.
2 — Med (M): vulns have a risk of 2 and are considered “Medium” severity when assets are not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/modules/follow/FeeFollowModule.sol#L75-L91
Vulnerability details
In the current implementation, when there is a fee on follow or collect, users need to approve to the follow modules or collect module contract, and then the
Hub
contract can callprocessFollow()
and transfer funds from an arbitrary address (as thefollower
parameter).https://github.com/code-423n4/2022-02-aave-lens/blob/c1d2de2b0609b7d2734ada2ce45c91a73cc54dd9/contracts/core/modules/follow/FeeFollowModule.sol#L75-L91
A common practice is asking users to approve an unlimited amount to the contracts. Normally, the
allowance
can only be used by the user who initiated the transaction.It's not a problem as long as
transferFrom
will always only transfer funds frommsg.sender
and the contract is non-upgradable.However, the
LensHub
contract is upgradeable, andFeeFollowModule
willtransferFrom
an address decided by an input parameterfollower
, use of upgradeable proxy contract structure allows the logic of the contract to be arbitrarily changed.This allows the proxy admin to perform many malicious actions, including taking funds from users' wallets up to the allowance limit.
This action can be performed by the malicious/compromised proxy admin without any restriction.
PoC
Given:
1
usesFeeCollectModule
withcurrency
=WETH
andamount
=1e18
approve()
type(uint256).max
toFeeCollectModule
andfollow()
profileId1
with1e18 WETH
;upgradeToAndCall()
on the proxy contract and set a malicious contract asnewImplementation
, adding a new functions:FeeCollectModule
and setcurrency
=WETH
andamount
=1,000,000
, got profileId =2
rugFollow()
withfollower
=Alice
, profileId =2
, stolen1,000,000
WETH from Alice's walletRecommendation
Improper management of users'
allowance
is the root cause of some of the biggest attacks in the history of DeFi security. We believe there are 2 rules that should be followed:from
oftransferFrom
should always bemsg.sender
;allowance
should always be non-upgradable.We suggest adding a non-upgradeable contract for processing user payments:
This comes with an additional benefit: users only need to approve one contract instead of approving multiple
follow
orcollect
module contracts.