search

code-423n4 / 2022-07-swivel-findings

0 stars 1 forks source link

Swivel.sol is missing `authRedeem()` function called in `Marketplace.sol` #186

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-07-swivel/blob/daf72892d8a8d6eaa43b9e7d1924ccb0e612ee3c/Marketplace/MarketPlace.sol#L156 https://github.com/code-423n4/2022-07-swivel/blob/daf72892d8a8d6eaa43b9e7d1924ccb0e612ee3c/Swivel/Swivel.sol#L620

Vulnerability details

Impact

A user redeems or withdraws from their ZcToken by calling ZcToken.withdraw() or ZcToken.redeem(). Both of these functions then call MarketPlace.authRedeem() which in turn calls Swivel.authRedeem(). The issue is that Swivel.sol does not have an authRedeem() function. Instead it only has the authRedeemZcToken() function.

Therefore, all redeem/withdraw operations will fail and all users' funds will be stuck.

Proof of Concept

  1. User attempts to redeem their ZcToken that has matured with ZcToken.redeem()
    • This function calls MarketPlace.authRedeem()
  2. MarketPlace.authRedeem() calls ISwivel(swivel).authRedeem(p, u, market.cTokenAddr, t, a);
    • Since Swivel.sol does not contain this function, the call will revert and the user's ZcToken will not be redeemed. Their underlying will sit in the contract.

Tools Used

Manual review.

Recommended Mitigation Steps

Change the function name in Swivel.sol from authRedeemZcToken() to authRedeem().

JTraversa commented 2 years ago

Duplicate of #39

robrobbins commented 2 years ago

This had been a regression. Current branch has both the interface: https://github.com/Swivel-Finance/gost/blob/v3/test/marketplace/Interfaces.sol#L40 and the Swivel.sol: https://github.com/Swivel-Finance/gost/blob/v3/test/swivel/Swivel.sol#L592 with the correct authRedeem

No PR link as this was fixed whilst correcting for said regression

bghughes commented 2 years ago

Duplicate of #39