search

code-423n4 / 2022-12-Stealth-Project-findings

0 stars 0 forks source link

When the input token is a rebasing token, the user can expand the total supply of the rebasing token in the callback to steal the output token #55

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-Stealth-Project/blob/fc8589d7d8c1d8488fd97ccc46e1ff11c8426ac2/maverick-v1/contracts/models/Pool.sol#L300-L303

Vulnerability details

Impact

In Pool.swap, when the user swaps, the contract saves the current input token balance of the contract to the previousBalance variable after sending the output token to the user, and then the user can send the amountIn amount of input token to the contract in the swapCallback, and the contract will require the current input token balance to be greater than previousBalance + amountIn.

        SafeERC20.safeTransfer(IERC20(tokenAIn ? tokenB : tokenA), recipient, amountOut);
        previousBalance = tokenAIn ? _tokenABalance() : _tokenBBalance();
        ISwapCallback(msg.sender).swapCallback(amountIn, amountOut, data);
        require(previousBalance + amountIn <= (tokenAIn ? _tokenABalance() : _tokenBBalance()), "S");

However, if the input token is a rebasing token and anyone can trigger the rebase event for that rebasing token, the user can trigger the rebase event in the swapCallback to increase the total supply of rebasing tokens, so that even if the user does not send rebasing tokens to the contract in the swapCallback, the balance of rebasing tokens in the contract will increase, allowing the user to steal the output tokens in the Pool

Proof of Concept

https://github.com/code-423n4/2022-12-Stealth-Project/blob/fc8589d7d8c1d8488fd97ccc46e1ff11c8426ac2/maverick-v1/contracts/models/Pool.sol#L300-L303

Tools Used

None

Recommended Mitigation Steps

Consider using a blacklist to ban the use of these tokens

gte620v commented 1 year ago

The AMM does not support rebasing tokens. this is a dup of https://github.com/code-423n4/2022-12-Stealth-Project-findings/issues/78

c4-sponsor commented 1 year ago

gte620v marked the issue as sponsor disputed

kirk-baird commented 1 year ago

Since this is a fork of Uniswap v3 which clearly states it does not accept FoT or rebasing tokens I'm going to mark this issue as QA. See here for Uniswap docs.

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-12-Stealth-Project-findings/issues/46