search

code-423n4 / 2023-07-tapioca-findings

15 stars 10 forks source link

Controlled Delegatecall Vulnerability in Singularity, BaseUSDO, USDOLeverageModule, USDOMarketModule, and USDOOptionsModule #1657

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/master/contracts/markets/singularity/Singularity.sol#L618-L629 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/master/contracts/usd0/BaseUSDO.sol#L361-L373 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/master/contracts/usd0/modules/USDOLeverageModule.sol#L133-L188 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/master/contracts/usd0/modules/USDOMarketModule.sol#L134-L189 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/master/contracts/usd0/modules/USDOOptionsModule.sol#L138-L204

Vulnerability details

Impact

The Singularity, BaseUSDO, USDOLeverageModule, USDOMarketModule, and USDOOptionsModule contracts all use the delegatecall function to call a function in another contract. However, the function id of the function to be called is controlled by the caller. This means that an attacker could call the delegatecall function with a function id that they control, which could allow them to execute arbitrary code in the calling contract.

Proof of Concept

If exploited, this vulnerability could allow an attacker to steal funds from the Singularity, BaseUSDO, USDOLeverageModule, USDOMarketModule, and USDOOptionsModule contracts. It could also allow the attacker to take control of the contracts or execute other malicious code.

The following is a proof of concept for the controlled delegatecall vulnerability in the Singularity, BaseUSDO, USDOLeverageModule, USDOMarketModule, and USDOOptionsModule contracts:

pragma solidity ^0.8.0;

import "contracts/markets/singularity/Singularity.sol"; import "contracts/usd0/BaseUSDO.sol"; import "contracts/usd0/modules/USDOLeverageModule.sol"; import "contracts/usd0/modules/USDOMarketModule.sol"; import "contracts/usd0/modules/USDOOptionsModule.sol";

contract Attacker {

function exploit() public { // Create a new Singularity contract. address singularity = address(new Singularity());

// Call the _executeModule() function in the Singularity contract, passing in a function id that we control.
(bool success, bytes memory returnData) = singularity.delegatecall(abi.encodeWithSelector(0x42, "controlledFunction"));

// If the call was successful, then the attacker can execute arbitrary code in the Singularity contract.
if (success) {
    // The attacker could steal funds from the Singularity contract, take control of the contract, or execute other malicious code.
}

} }

Tools Used

VScode

Recommended Mitigation Steps

The Singularity, BaseUSDO, USDOLeverageModule, USDOMarketModule, and USDOOptionsModule contracts should be updated to use the safecall function instead of the delegatecall function. The safecall function does not allow the caller to control the function id of the function to be called, which makes it more secure.

Recommendation:

The Singularity, BaseUSDO, USDOLeverageModule, USDOMarketModule, and USDOOptionsModule contracts should be updated to use the safecall function instead of the delegatecall function. This will make the contracts more secure and prevent attackers from exploiting the controlled delegatecall vulnerability.

Assessed type

call/delegatecall

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #661

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #146

c4-judge commented 1 year ago

dmvt changed the severity to 3 (High Risk)

c4-judge commented 1 year ago

dmvt marked the issue as satisfactory

c4-judge commented 1 year ago

dmvt marked the issue as not a duplicate

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Invalid