search

code-423n4 / 2022-02-anchor-findings

0 stars 0 forks source link

Missing checks on the provided native tokens in the market contract could cause loss of funds #72

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/market/src/deposit.rs#L22-L32 https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/market/src/borrow.rs#L123-L133

Vulnerability details

Impact

The deposit_stable function of the market contract only checks if a non-zero amount of stable_denom is provided but does not ensure users didn't provide other native tokens. If users send native tokens other than stable_denom when calling this function, their funds are lost in the contract and unrecoverable. The same issue exists in the repay_stable function as well.

On the other hand, the submit_bid function in the liquidation contract includes an explicit check to ensure only stable_denom is provided.

Proof of Concept

Referenced code: market/src/deposit.rs#L22-L32 market/src/borrow.rs#L123-L133

Recommended Mitigation Steps

Consider adding checks to prevent users from sending other native tokens to the contract. Please refer to the following implementation: liquidation_queue/src/bid.rs#L33-L53

GalloDaSballo commented 2 years ago

Not convinced anyone would randomly send extra tokens unsolicited.

However, some validity (perhaps QA) because the sponsor already added the check in a separate function

GalloDaSballo commented 2 years ago

Also see #42