search

code-423n4 / 2023-01-popcorn-findings

0 stars 0 forks source link

Attach non-endorsed Adapter to Vaults resulting in DOS #769

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/CloneRegistry.sol#L28 https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/VaultController.sol#L321

Vulnerability details

Impact

Attacker can attach a non-endorsed Adapter to Vaults, resulting in dos of the vaults and locking user's funds.

Proof of Concept

Adapters are endorsed or not is determined by public variable cloneExists. For example, in function proposeVaultAdapters of VaultController.

cloneExists is a simple mapping from address to bool. Checking using cloneExists does not consider the templateCategory of the check target. Attacker can first deploy a Vault contract. And then uses the Vault clone as a Adapter. The cloneExists will pass.

One detailed possible attack steps are as follows.

  1. Deploy a vault contract using deployVault.
  2. Attach an adaptor to the vault created on step 1 using function proposeVaultAdapters and changeVaultAdapters. In this step, pass the vault contract address in step 1 as the adaptor address. The cloneExists will pass.
  3. The vault has a adaptor which is himself. This creates DOS to the vault. User's funds are locked.

Tools Used

Recommended Mitigation Steps

Check the templateCategory of the Adaptor.

c4-sponsor commented 1 year ago

RedVeil marked the issue as sponsor disputed

c4-judge commented 1 year ago

dmvt changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

dmvt marked the issue as grade-c