code-423n4 / 2022-06-infinity-findings

4 stars 0 forks source link

Admin can set arbitrarily high WETH_TRANSFER_GAS_UNITS which is a fee #276

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L1260-L1263 https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L231-L237

Vulnerability details

Impact

Users can lose their fund by attack from the admins

Poc

In the function updateWethTranferGas#InfinityExchange.sol there is no limit for setting WETH_TRANSFER_GAS_UNITS . As this is a kind of fee paid by from the buyers to the contract

By definition of the variable

/// @dev Gas cost for auto sniped orders are paid by the buyers and refunded to this contract in the form of WETH
uint32 public WETH_TRANSFER_GAS_UNITS = 50000;

The function is

/// @dev updates the gas units required for WETH transfers

function updateWethTranferGas(uint32 _wethTransferGasUnits) external onlyOwner {

WETH_TRANSFER_GAS_UNITS = _wethTransferGasUnits;

emit NewWethTransferGasUnits(_wethTransferGasUnits);@audit medium

}

And at the _execMatchOneToOneOrders#InfinityExchange.sol

uint256 gasCost = (startGasPerOrder - gasleft() + wethTransferGasUnits) * tx.gasprice;
// if the execution currency is weth, we can send the protocol fee and gas cost in one transfer to save gas
// else we need to send the protocol fee separately in the execution currency
if (buy.execParams[1] == weth) {
 IERC20(weth).safeTransferFrom(buy.signer, address(this), protocolFee + gasCost);
} else {
IERC20(buy.execParams[1]).safeTransferFrom(buy.signer, address(this), protocolFee);
IERC20(weth).safeTransferFrom(buy.signer, address(this), gasCost);
}

gasCost will be extremely high and buyer will paid this to the contract IERC20(weth).safeTransferFrom(buy.signer, address(this), protocolFee + gasCost);

Recommended

Add a maximum reasonable WETH_TRANSFER_GAS_UNITS.

nneverlander commented 2 years ago

Duplicate

HardlyDifficult commented 2 years ago

Dupe https://github.com/code-423n4/2022-06-infinity-findings/issues/127