jeffywu
commented
2 years ago It's not clear to me what the reporter is saying here.
Closed code423n4 closed 2 years ago
jeffywu
commented
2 years ago It's not clear to me what the reporter is saying here.
Lines of code
https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashLogic.sol#L50
Vulnerability details
Impact
attacker calls the mintViaAsset function if attacker want to lend eth that you suppy the contract , it wil take eth make it into weth then what you lend . you can mint how many tokens you want because if (iseth) is true it just converts the eth to weth and then does the safetransferfrom to me the reciever in that function , sendTokenToreciver issues giving me more money then i tryed to lend causing lost of funds and minting any amount of tokens. (x-anything) attacker supplys depositamountexeternal=10 fcashamount=1000 x,true balancebefore=balance of eth from this contract =10 eth .... gets put into weth reciver=attacker and fcashamount is not checked that is suppplyed it so i can mint how many tokens i want because the balance being cheked is depositamountexternal not fcashamount
_mint (reciver ,fcash,"","",false) _sendtokeNToreciver balanceafter=eth balance of the contract current 1000
tokensTransfreed=1000-10 =900 it transfers me the tokens 900 tokens. depleating all of the eth in the contract, causing lost of funds.
Tools Used
manual analyisis
Recommended Mitigation Steps
have mutiple checks how much balance there is and make it the same balance in one . tokenTransferd stays the same like make a state variable with a event.