Open code423n4 opened 2 years ago
Duplicate of #16
Downgraded to QA, with a QA report score of 7.
Preserving original title as warden did not submit a QA Report: Invocation of Controller.sol#_call() with malicious data can withdraw tokens approved for OperateProxy contract
Lines of code
https://github.com/RollaProject/quant-protocol/blob/98639a3ba9c6a50607c304dc6e0c2ee223dbc747/contracts/Controller.sol#L557
Vulnerability details
Impact
Approved tokens to OperateProxy can be withdrawn by attacker by malicious manipulation of data
Proof of Concept
In
Controller.sol
, attacker can inject malicious functioncall data as args inoperate()
which will ultimately call_call()
. For example, if the receiver is one of the ERC20 token which has approved OperateProxy contract, attacker can injecttransferFrom()
as data and token address as callee which results in withdrawing the funds.Tools Used
manual analysis
Recommended Mitigation Steps