Closed code423n4 closed 1 year ago
Seems valid, I believe historically Med was awarded.
Am thinking the damage is marginal and limited only to the recipient, which would not be able to receive the tokens, so arguably the revert would be a good thing
Am thinking QA, but will definitely discuss with Judges and will flag to the Sponsor
I get the point. However, if the entire DripsHub would be blacklisted then nothing would work anymore and we see the Drivers at least developed by us as part of Drips.
However, I agree that we could add such transferTo
parameter which could save one unnecessary transferFrom``call. In general, it depends on the Driver implementation if it is needed or it if would be equal to
msg.sender`
So a valid finding.
We need to discuss the severity.
[disagree with severity: gas optimization] I disagree that blacklisting is an issue we should be trying to defend from. Any protocol can be taken down if its contract are blacklisted and there's nothing that can be done about it, even the proposed mitigation will work partially and in a selective blacklisting case.
I agree that the extra transferring step in some cases is unnecessary and it wastes gas. Transferring funds INTO the protocol must be done with the stop at the driver, but transferring OUT often can be done directly, without the driver in the middle. I agree that it's the driver who should decide, DripsHub should follow the driver's strategy.
CodeSandwich marked the issue as disagree with severity
While arguably the funds would stop working, we know that the tx will revert if either target is blocked from receiving funds, meaning the tx will revert
Due to that, I believe Low Severity to be the most appropriate as no invariant is broken
GalloDaSballo changed the severity to QA (Quality Assurance)
GalloDaSballo marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/AddressDriver.sol#L60-L63 https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/NFTDriver.sol#L109-L117 https://github.com/code-423n4/2023-01-drips/blob/9fd776b50f4be23ca038b1d0426e63a69c7a511d/src/DripsHub.sol#L386
Vulnerability details
Impact
Funds might be unable to collect if a driver is blocklisted.
Proof of Concept
As we can see from
AddressDriver.collect()
, the collected funds fromDripsHub
are transferred to the driver contract first and to the custom address.As we can see here, some tokens including
USDC
andUSDT
have a blocklist and the below scenario would be possible.AddressDriver
orNFTDriver
and he didn't add a migration option to change the driver contract. (Currently,AddressDriver
andNFTDriver
doesn't have the option as well.)Tools Used
Manual Review
Recommended Mitigation Steps
I think we don't need to transfer the funds two times, from
DripsHub
toDriver
, fromDriver
totransferTo
address.We can modify the
collect()
functions like below to transfer the funds directly.