Open code423n4 opened 1 year ago
minhquanym marked the issue as primary issue
0xRektora marked the issue as disagree with severity
informational
severity, admin func called only by protocol. Probability are very low for this to happen, protocol can quickly find out if the deployed bytecode is invalid without damaging itself.
0xRektora marked the issue as sponsor confirmed
dmvt changed the severity to QA (Quality Assurance)
dmvt marked the issue as grade-b
Lines of code
https://github.com/Tapioca-DAO/tapiocaz-audit/blob/bcf61f79464cfdc0484aa272f9f6e28d5de36a8f/contracts/TapiocaWrapper.sol#L191 https://github.com/Tapioca-DAO/tapiocaz-audit/blob/bcf61f79464cfdc0484aa272f9f6e28d5de36a8f/contracts/TapiocaWrapper.sol#L209 https://github.com/Tapioca-DAO/tapiocaz-audit/blob/bcf61f79464cfdc0484aa272f9f6e28d5de36a8f/contracts/tOFT/TapiocaOFT.sol#L21 https://github.com/Tapioca-DAO/tapiocaz-audit/blob/bcf61f79464cfdc0484aa272f9f6e28d5de36a8f/contracts/tOFT/mTapiocaOFT.sol#L9
Vulnerability details
Impact
Project tapiocaz contains logic to deploy and create Wrappers Tapoica OFTs.
TapiocaWrapper
is used to create TOFTs andTapiocaOFT
/mTapiocaOFT
are given bases to be used when deploying an TOFT viaTapiocaWrapper::createTOFT
. There are 3 major issues with these:TapiocaWrapper::createTOFT
attempts to checks incorrectly that the provided bytecode is compatible withITapiocaOFT
,TapiocaOFT
normTapiocaOFT
extend the interface and by luck the incorrect check is passedTapiocaWrapper::createTOFT
has an extra flag as input that should enforce that the provided bytecode ismTapiocaOFT
compatible (has multichain wrapping/unwrapping support) but it does nothing (incorrectly implemented)consequently:
deployed contracts via
createTOFT
may not beITapiocaOFT
, an essential project requirement.any deployed contract with the intent of having multichain wrapping/unwrapping support may actually not be. This is of an high enough importance to protocol logic as to warrant a check in itself, otherwise the incorrect check (just a contract cast) would not exist.
also, the incomplete
TapiocaOFT
andmTapiocaOFT
implementations (missingITapiocaOFT::harvestFees
code) results a revert whenTapiocaWrapper::harvestFees
is called if using these provided implementations. Project documentation itself indicates to use theTapiocaWrapper
andTapiocaOFT
together as such the missing code is not intentional.Proof of Concept
A detailed issue explication follows:
TapiocaWrapper::createTOFT
checks, incorrectly, that the deployed contract (viaTapiocaWrapper::_createTOFT
) isITapiocaOFT
by comparing the passed ERC20 contract address with tha contract state saved one:The intent to create an
ITapiocaOFT
compliant token is evident by the castingand the storing in variables that use the
ITapiocaOFT
type:tapiocaOFTs
,tapiocaOFTsByErc20
andharvestableTapiocaOFTs
and also usage of specific
ITapiocaOFT
functionharvestFees
:Next, the intent to use
TapiocaWrapper
andTapiocaOFT
together is stated in the project documentationand in code, the intent to use
TapiocaOFT
(andmTapiocaOFT
) as anITapiocaOFT
compliant token (and assumption) is evident by the castings to TapiocaOFT, to mTapiocaOFT (and the name basically):While this casting is redundant, it also shows that the
_linked
, which is passed from TapiocaWrapper::createTOFT also has no utility.The incorrect assumption here is that, casting an address is Solidity automatically checks interface support. This is false, and the currently used standard way of achieving this is to implemented ERC-165.
The intended check by the
_linked
variable would of been to be sure that the deployed bytecode is alsomTapiocaOFT
compliant.Coming back to
TapiocaOFT
andmTapiocaOFT
; these implementation do not extend theITapiocaOFT
but by project design do have most of the interface functions and in particular those that are called, from that interface, in theTapiocaWrapper::createTOFT
function:erc20()
andhostChainID()
.Contracts inheritance view outlying the lack
ITapiocaOFT
extension and interface functions existing:TapiocaOFT
ERC20Permit
mTapiocaOFT
ERC20Permit
Tools Used
Manual analysis
Recommended Mitigation Steps
Implement ERC-165 for
ITapiocaOFT
,TapiocaOFT
andmTapiocaOFT
and check them accordingly in each step of the TOFT creation inTapiocaWrapper
;mTapiocaOFT
check to be done only when the_link
is set.Assessed type
Other