Fund loss or theft by attacker with creating a flash loan and setting SuperVault as receiver so executeOperation() will be get called by lendingPool but with attackers specified params #123
According to Aave documentation, when requesting flash-loan, it's possible to specify a receiver, so function executeOperation() of that receiver will be called by lendingPool.
https://docs.aave.com/developers/v/2.0/guides/flash-loans
In the SuperVault there is no check to prevent this attack so attacker can use this and perform griefing attack and make miner contract lose all its funds. or he can create specifically crafted params so when executeOperation() is called by lendingPool, attacker could steal vault's user funds.
Proof of Concept
To exploit this attacker will do this steps:
will call Aave lendingPool to get a flash-loan and specify SuperVault as receiver of flash-loan. and also create a specific params that invoke Operation.REBALANCE action to change user vault's collateral.
lendingPool will call executeOperation() of SuperVault with attacker specified data.
executeOperation() will check msg.sender and will process the function call which will cause some dummy exchanges that will cost user exchange fee and flash-loan fee.
attacker will repeat this attack until user losses all his funds.
To steal user fund in SupperVault attacker needs more steps. in all these actions (Operation.REBALANCE, Operation.LEVERAGE, Operation.EMPTY) contract will call aggregatorSwap() with data that are controlled by attacker.
Attacker can put special data in dexTxData that make contract to do an exchange with bad price. To do this, attacker will create a smart contract that will do this steps:
manipulate price in exchange with flash loan.
make a call to executeOperation() by Aave flash-loan with receiver and specific params so that SuperVault will make calls to manipulated exchange for exchanging.
do the reverse of #1 and pay the flash-loan and steal the user fund.
The details are:
Attacker can manipulate swapping pool price with flash-loan, then Attacker will create specific params and perform steps 1 to 4. so contract will try to exchange tokens and because of attacker price manipulation and specific dexTxData, contract will have bad deals.
After that, attacker can reverse the process of swap manipulation and get his flash-loan tokens and some of SuperVault funds and. then pay the flash-loan.
Tools Used
VIM
Recommended Mitigation Steps
There should be some state variable which stores the fact that SuperVault imitated flash-loan.
When contract tries to start flash-loan, it sets the isFlash to True and executeOperation() only accepts calls if isFlash is True. and after the flash loan code will set isFlash to False.
Lines of code
https://github.com/code-423n4/2022-04-mimo/blob/b18670f44d595483df2c0f76d1c57a7bfbfbc083/supervaults/contracts/SuperVault.sol#L76-L99
Vulnerability details
Impact
According to Aave documentation, when requesting flash-loan, it's possible to specify a
receiver
, so functionexecuteOperation()
of thatreceiver
will be called bylendingPool
. https://docs.aave.com/developers/v/2.0/guides/flash-loans In theSuperVault
there is no check to prevent this attack so attacker can use this and performgriefing attack
and make miner contract lose all its funds. or he can create specifically craftedparams
so whenexecuteOperation()
is called bylendingPool
, attacker could steal vault's user funds.Proof of Concept
To exploit this attacker will do this steps:
Aave lendingPool
to get a flash-loan and specifySuperVault
asreceiver
of flash-loan. and also create a specificparams
that invokeOperation.REBALANCE
action to change user vault's collateral.lendingPool
will callexecuteOperation()
ofSuperVault
with attacker specified data.executeOperation()
will checkmsg.sender
and will process the function call which will cause some dummy exchanges that will cost user exchange fee and flash-loan fee.attacker will repeat this attack until user losses all his funds.
To steal user fund in
SupperVault
attacker needs more steps. in all these actions (Operation.REBALANCE
,Operation.LEVERAGE
,Operation.EMPTY
) contract will callaggregatorSwap()
with data that are controlled by attacker.Attacker can put special data in
dexTxData
that make contract to do an exchange with bad price. To do this, attacker will create a smart contract that will do this steps:executeOperation()
byAave flash-loan
withreceiver
and specificparams
so thatSuperVault
will make calls to manipulated exchange for exchanging.params
and perform steps 1 to 4. so contract will try to exchange tokens and because of attacker price manipulation and specificdexTxData
, contract will have bad deals. After that, attacker can reverse the process of swap manipulation and get his flash-loan tokens and some ofSuperVault
funds and. then pay the flash-loan.Tools Used
VIM
Recommended Mitigation Steps
There should be some state variable which stores the fact that
SuperVault
imitated flash-loan. When contract tries to start flash-loan, it sets theisFlash
toTrue
andexecuteOperation()
only accepts calls ifisFlash
isTrue
. and after the flash loan code will setisFlash
toFalse.