Joeysantoro
commented
2 years ago The feiAmount is simply passed as metadata in case a future booster implementation needs it, due to the immutable nature of the TurboMaster. This is intended behavior
Closed code423n4 closed 2 years ago
Joeysantoro
commented
2 years ago The feiAmount is simply passed as metadata in case a future booster implementation needs it, due to the immutable nature of the TurboMaster. This is intended behavior
GalloDaSballo
commented
2 years ago The parameter is unused, however there seems to be zero impact. In lack of a POC am marking as invalid
Lines of code
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L233 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboBooster.sol#L100
Vulnerability details
Impact
In TurboMaster.sol the onSafeBoost() function calls canSafeBoostVault() on the booster contract to check if the safe is allowed to boost the vault using the feiAmount which is passed in by the caller as an argument. The problem is that the feiAmount is never actually checked in the booster.canSafeBoostVault() function which means a safe will be able to boost the vault using any amount of fei they want.
Proof of Concept
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboBooster.sol#L100
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L233
Tools Used
Manual code review
Recommended Mitigation Steps
The canSafeBoostVault() function needs to actually implement the logic checking if the safe is authorized to boost the vault with the passed in feiAmount.