c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor disputed
Closed code423n4 closed 1 year ago
c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor disputed
c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor confirmed
c4-judge
commented
1 year ago dmvt marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/VaultController.sol#L171 https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/VaultController.sol#L456-L457 https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/VaultController.sol#L526
Vulnerability details
Impact
In 3 functions return values of ERC20 contracts (either approve or transferFrom) are not checked :
fundStakingRewards;addStakingRewardsTokensand_handleInitialDeposit. This is especially dangerous in theaddStakingRewardsTokensfunction, because in this case, the newly added reward token would be considered as one of the reward tokens, even if the return of its transferFrom function would be False. It could then be a way to steal this same token from the AdminProxy via the adminProxy.execute function which is called right after. However, impact is rather limited because caller ofaddStakingRewardsTokensmust be the creator of the Vault or the owner and furthermore there is a check on the token which must be pre-approved via the call to_verifyToken.Proof of Concept
If the token returns False, the ERC20-related transactions would have failed but in pratice, a call to addStakingRewardsTokens would succeed, which is not expected.
Recommended Mitigation Steps
Use the safeTransferFrom and safeApprove functions from the SafeERC20 library accordingly.