search

code-423n4 / 2022-02-anchor-findings

0 stars 0 forks source link

Updating the hub’s token contract address may lead to incorrect undelegation amount #62

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-bAsset-contracts/contracts/anchor_basset_hub/src/config.rs#L90-L97

Vulnerability details

Updating the hub’s token contract address may lead to incorrect undelegation amounts

Impact

The hub contract allows config updates to the token_contract config values in anchor-bAsset-contracts/contracts/anchor_basset_hub/src/config.rs Such updates can cause wrong amounts of tokens to be calculated during processing of undelegations, since the amount of unbonded bLuna tokens is stored for batched unbonding as requested_with_fee.

Proof of Concept

Contract : anchor-bAsset-contracts/contracts/anchor_basset_hub/src/config.rs Function : pub fn execute_update_config(...) Line 90 : 

    if let Some(token) = token_contract {
        let token_raw = deps.api.addr_canonicalize(token.as_str())?;

        CONFIG.update(deps.storage, |mut last_config| -> StdResult<Config> {
            last_config.token_contract = Some(token_raw);
            Ok(last_config)
        })?;
    }

Recommended Mitigation Steps

Its recommended to remove the ability to update token_contract config value, or asserting that requested_with_fee is zero before allowing an update of the token_contract address

GalloDaSballo commented 2 years ago

Looks like Admin Privilege so Med seems appropriate