Open code423n4 opened 1 year ago
GalloDaSballo marked the issue as duplicate of #25
GalloDaSballo marked the issue as not a duplicate
GalloDaSballo marked the issue as primary issue
THe Warden has shown a way to leverage a programming mistake to duplicate an account balances, because this breaks protocol invariants, I agree with High Severity
GalloDaSballo marked the issue as selected for report
We agree that this is a high risk issue and we intend to fix this.
m19 marked the issue as sponsor confirmed
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/kuma-protocol/KIBToken.sol#L290-L291
Vulnerability details
Impact
using temporary variables to update balances is a dangerous construction. If transferred to yourself, it will cause your balance to increase, thus growing the token balance infinitely
Proof of Concept
KIBToken overrides _transfer() to perform the transfer of the token, the code is as follows:
From the code above we can see that using temporary variables "newToBaseBalance" to update balances
Using temporary variables is a dangerous construction.
If the from and to are the same, the balance[to] update will overwrite the balance[from] update simplify the example:
Suppose: balance[alice]=10 , and execute transferFrom(from=alice,to=alice,5) Define the temporary variable: temp_variable = balance[alice]=10 so update the steps as follows:
1.balance[to=alice] = temp_variable - 5 =5 2.balance[from=alice] = temp_variable + 5 =15
after alice transferred it to herself, the balance was increased by 5
The test code is as follows:
add to KIBToken.transfer.t.sol
Tools Used
Recommended Mitigation Steps
a more general method is use:
In view of the complexity of the amount calculation, if the code is to be easier to read, it is recommended: