Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/DexManagerFacet.sol#L17-L26 https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/GenericSwapFacet.sol#L22-L43
GenericSwapFacet.swapTokensGeneric() can run arbitrary calls on any whitelisted addresses. A malicious/compromised governance can whitelist token contracts and steal funds from users that have given allowance to LiFi contract.
GenericSwapFacet.swapTokensGeneric()
addDex()
swapTokensGeneric()
transferFrom
Recommend using timelock when managing dexWhitelist.
dexWhitelist
Duplicate of #65
H3xept
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/DexManagerFacet.sol#L17-L26 https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/GenericSwapFacet.sol#L22-L43
Vulnerability details
Impact
GenericSwapFacet.swapTokensGeneric()can run arbitrary calls on any whitelisted addresses. A malicious/compromised governance can whitelist token contracts and steal funds from users that have given allowance to LiFi contract.Proof of Concept
addDex(), whitelisting USDC contract.swapTokensGeneric()with USDC as the callTo andtransferFromas the callData, stealing Alice's fund.Recommended Mitigation Steps
Recommend using timelock when managing
dexWhitelist.