search

code-423n4 / 2023-01-numoen-findings

0 stars 0 forks source link

Payment multiple functions do not check the caller #144

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-numoen/blob/main/src/periphery/Payment.sol#L25-L46

Vulnerability details

Impact

Multiple functions in the Payment contract do not check the caller, for example, an attacker can directly call refundETH() to transfer assets in the contract

function refundETH() external payable {//@audit  
  if (address(this).balance > 0) SafeTransferLib.safeTransferETH(msg.sender, address(this).balance);
}

In addition, unwrapWETH() and sweepToken() have the same problem

Proof of Concept

Call the corresponding function directly

Tools Used

vscode

Recommended Mitigation Steps

Check the caller permissions of key functions

berndartmueller commented 1 year ago

The Payment abstract utility contract is only used by the LendgineRouter and the LiquidityManager contracts, which both do not intend to hold any token funds directly.

If there's leftover WETH in those two contracts, it's not systematic and only because a previous user mistakenly transferred the incorrect amount. Additionally, the protocol is permissionless, there's no contract owner.

Closing as invalid.

c4-judge commented 1 year ago

berndartmueller marked the issue as unsatisfactory: Invalid