Open code423n4 opened 1 year ago
The issue is well demonstrated, properly formatted, contains a coded POC. Marking as HQ.
0xSorryNotSorry marked the issue as high quality report
0xSorryNotSorry marked the issue as primary issue
AustinGreen marked the issue as sponsor confirmed
This was resolved in this PR: https://github.com/llamaxyz/llama/pull/367 (note repo is currently private but will be made public before launch)
gzeon-c4 changed the severity to 2 (Med Risk)
Valid issue, actions that require the executor to forward a call value would not work. However, fund is secure and not stuck since this does not impact the functionality of LlamaAccount.transferNativeToken
which take the amount from calldata.
gzeon-c4 marked the issue as satisfactory
gzeon-c4 marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L334 https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaExecutor.sol#L29
Vulnerability details
Details
Actions can have value attached to them. That means when action is being executed, a certain amount of ETH (or other protocol token) need to be sent by the caller with the contract call. This is why
LlamaCore.executeAction
is payableHowever, when LlamaCore executes the action it doesn't pass value to the downstream call to LlamaExecutor
LlamaExecutor's
execute
is not payable even though it does try to pass value to the downstream callThis will of course revert because LlamaExecutor is not expected to have any ETH balance.
PoC
To reproduce the issue based on the existing tests we can do the following changes:
Now we can run any test that executes this action, for example:
forge test -m test_RevertIf_ActionExecuted
The test fails with "EvmError: OutOfFund".
Mitigation
It seems like an important part of protocol functionality that is not working, therefore suggested High severity.
The fix is straightforward, making LlamaExecutor.execute payable and passing value in LlamaCore:
Assessed type
Payable