code423n4 commented 2 years ago

Lines of code

https://github.com/RollaProject/quant-protocol/blob/98639a3ba9c6a50607c304dc6e0c2ee223dbc747/contracts/Controller.sol#L557

Vulnerability details

Impact

Approved tokens to OperateProxy can be withdrawn by attacker by malicious manipulation of data

Proof of Concept

In Controller.sol, attacker can inject malicious functioncall data as args in operate() which will ultimately call _call(). For example, if the receiver is one of the ERC20 token which has approved OperateProxy contract, attacker can inject transferFrom() as data and token address as callee which results in withdrawing the funds.

Tools Used

manual analysis

Recommended Mitigation Steps

quantizations commented 2 years ago

Duplicate of #16

alcueca commented 2 years ago

Downgraded to QA, with a QA report score of 7.

JeeberC4 commented 2 years ago

Preserving original title as warden did not submit a QA Report: Invocation of Controller.sol#_call() with malicious data can withdraw tokens approved for OperateProxy contract

code-423n4 / 2022-03-rolla-findings