Closed code423n4 closed 1 year ago
I think it's probably invalid because dola.transferFrom(msg.sender, address(this), 1 ether);
in the warden's AttackerMarket.sol
should revert because lack of allowance. The DOLA used in the tests does not check for allowance in transferFrom, but the real DOLA does.
There could be an attack vector here, and but I think the Warden was not able to prove it in the test.
0xean marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Fed.soll#L131-L137 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Fed.sol#L120-L125
Vulnerability details
Description
Due to lack of protection control, it is possible to steal
Fed
contract's DOLA balance by using a maliciousattackerMarket
contract by callingFed#takeProfit()
public function.https://github.com/code-423n4/2022-10-inverse/blob/main/src/Fed.soll#L131-L137
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Fed.sol#L120-L125
takeProfit
is a public function that callsmarket.recall(profit)
. By placing a maliciousIMarket
contract, we can makeFed
call our malicious function ofrecall
which will allow us to impersonate asFed
's address.This will allow us to transfer DOLA from
Fed
's balance to our malicious contract.Proof of Concept
Deploy
AttackerMarket.sol
to the same path whereFed.sol
is (i.e. 2022-10-inverse/src/).Add following forge test script in
Fed.t.sol
:Don't forget to import
Foundry Forge Test Results
Recommended mitigation steps
I actually ran out of contest time to think of proper mitigation steps, but would love to help out with the mitigation steps if needed. But on a quick glance, probably some access control should be enough.