c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Invalid
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/main/src/rewards/base/FlywheelCore.sol#L197
Vulnerability details
Impact
Some ERC20 tokens have multiple valid contract addresses that serve as entrypoints for manipulating the same underlying storage (such as Synthetix tokens like SNX and sBTC and the TUSD stablecoin). The accrueUser function holds all rewards for all pools, assumes that a contract address is a unique identifier for a token, and relies on the return value of balanceOf for manipulated tokens to determine what transfers are needed during transaction settlement, multiple entrypoint tokens are not safe to be used in pools. An attacker can atomically create a second pool using the alternate address, allocate liquidity, and then immediately deallocate it. During execution of the _ accrueUser function, supplierTokens will return a positive net balance for the double entrypoint token, crediting the attacker and transferring them more rewards. This attack only costs gas, as the allocation and deallocation of non-double entrypoint tokens will cancel out.
Proof of Concept
https://github.com/code-423n4/2023-05-maia/blob/main/src/rewards/base/FlywheelCore.sol#L197
Tools Used
VSCode
Recommended Mitigation Steps
An explicit blacklist should be added to prevent any address other than an "official" one from being used to create pairs and pools for such tokens (potentially fixed at deployment time, as double entrypoint tokens are rare and now widely known to be dangerous).
Assessed type
Invalid Validation