Closed code423n4 closed 2 years ago
ritik99
commented
2 years ago The main issue arises here from the admin setting an absurdly high start fee maliciously. However, as mentioned in the contest readme, it is assumed that the admin is a trusted actor and thus would have no incentives to do so. The start fee has been introduced to act as an incentive for someone to call the start() function
HardlyDifficult
commented
2 years ago Agree - this vulnerability is focused on the owner account doing something unreasonable, but the readme states the assumption:
- The admin is a trusted actor
For the initial stages of the protocol development, the admin is going to be handled by us. Thus, contracts, functions, and critical thresholds are set to be upgradeable by the admin to allow effective action in case of emergencies. Over time, such functions would be decentralized.
Lines of code
https://github.com/sublime-finance/sublime-v1/blob/46536a6d25df4264c1b217bd3232af30355dcb95/contracts/PooledCreditLine/LenderPool.sol#L306-L330
Vulnerability details
https://github.com/sublime-finance/sublime-v1/blob/46536a6d25df4264c1b217bd3232af30355dcb95/contracts/PooledCreditLine/LenderPool.sol#L306-L330
A configurable
startFeeFractionwith no upper bound can be claimed by the caller to a specified address.The fee is not based on the gas cost, but on the
_totalLentof the pool.We believe this
startFeereward is unnecessary and it creates a potential rug vector.PoC
Given:
_totalLentis 5M USDC.A malicious/compromised owner can first set the
startFeeFractionto0and wait until the_startTimethen do the following steps in one tx:startFeeFractionto 95%;start()and settoas the attacker's address;As a result, 4.9M USDC will be stolen by the attacker.
Recommendation
startFeerewards. The borrower should be the one who callsstart()or the protocol can set up a keeper to callstart().startFee, eg, 10 BPS or so.