Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/DexManagerFacet.sol#L17-L26 https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/GenericSwapFacet.sol#L22-L43
GenericSwapFacet.swapTokensGeneric() can run arbitrary calls on any whitelisted addresses. A malicious/compromised governance can whitelist token contracts and steal funds from users that have given allowance to LiFi contract.
GenericSwapFacet.swapTokensGeneric()
addDex()
swapTokensGeneric()
transferFrom
Recommend using timelock when managing dexWhitelist.
dexWhitelist
Duplicate of #65
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/DexManagerFacet.sol#L17-L26 https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/GenericSwapFacet.sol#L22-L43
Vulnerability details
Impact
GenericSwapFacet.swapTokensGeneric()
can run arbitrary calls on any whitelisted addresses. A malicious/compromised governance can whitelist token contracts and steal funds from users that have given allowance to LiFi contract.Proof of Concept
addDex()
, whitelisting USDC contract.swapTokensGeneric()
with USDC as the callTo andtransferFrom
as the callData, stealing Alice's fund.Recommended Mitigation Steps
Recommend using timelock when managing
dexWhitelist
.