Closed code423n4 closed 1 year ago
GalloDaSballo marked the issue as primary issue
Example of a short and sweet description with good POC
GalloDaSballo marked the issue as duplicate of #3
Removed primary due to inaccuracy in statements I will not penalize further though as I believe the POC offered covers the exploit sufficiently
GalloDaSballo marked the issue as satisfactory
m19 marked the issue as sponsor confirmed
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/main/src/kuma-protocol/KIBToken.sol#L276-L292
Vulnerability details
Impact
The
KIBToken._transfer
function overrides theERC20Upgradeable._transfer
function and adds custom logic.The modified function looks like this:
It can be seen that while performing the transfer of
amount
tokens, the function cache the token balances offrom
andto
in temporary variables. These cached values do not represent the actual balances of accounts in an edge case.This implementation of _transfer function can be exploited by any KIBToken holder by passing their own address as the
to
parameter. When thefrom
andto
parameters are equal the function simply doubles the balance of that respective account. So any token holder holdingx
token at the start of function invocation will have2x
token at the end of invocation.The bug can be repeated infinitely to gain a huge KIBToken token balance. This huge token balance can be used to drain assets from other contracts of the protocol, as well as to drain liquidity pools of KIBToken.
Proof of Concept
This test case was added to
test/kuma-protocol/kib-token/KIBToken.transfer.t.sol
and ran usingforge test -m test_audit
.Tools Used
Forge
Recommended Mitigation Steps
Consider adding a check
require(from != to)
in the_transfer
function. Or, always try to reference the storage parameters directly instead of storing values in temporary variables.