transmissions11
commented
2 years ago contested. the whitelisting is done in the turbosafe itself when it performs a lookup of the cToken equivalent of the asset. if none exists it reverts.
Closed code423n4 closed 2 years ago
transmissions11
commented
2 years ago contested. the whitelisting is done in the turbosafe itself when it performs a lookup of the cToken equivalent of the asset. if none exists it reverts.
GalloDaSballo
commented
2 years ago Agree with the sponsor, in lack of a POC am marking invalid
Lines of code
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L161 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L43
Vulnerability details
Impact
In TurboMaster.sol the createSafe() function is called when the user calls a function with the same name in the TurboRouter.sol file. It then creates a new Turbo Safe with an arbitrary token supplied by the user. Since there is no whitelist of acceptable tokens, this means new Turbo Safes can be created using malicious tokens created by an attacker. These malicious tokens only need to have the same function names as the ERC20 standard but can perform/return any action or value when interacted with under the assumption that the normal ERC20 functions will work as they should when in fact they are attacker controlled and can be used to exploit the caller and protocol.
Proof of Concept
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L161
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L43
Tools Used
Manual code review
Recommended Mitigation Steps
A user should not be able to create Turbo Safes with malicious tokens so a whitelist mapping or array of acceptable tokens should be created. When calling createSafe() the function should require that the passed in token is whitelisted and revert if it's not. This will prevent the creation of malicious Turbo Safes.