c4-judge
commented
11 months ago GalloDaSballo marked the issue as unsatisfactory: Invalid
Closed c4-submissions closed 11 months ago
c4-judge
commented
11 months ago GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L390
Vulnerability details
Impact
Function flashloan() (https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L389-L410) - allows delegate token owner or approved operator to borrow their underlying tokens for the duration of a single atomic transaction. The function uses Structs.FlashInfo calldata info as an input parameter. However, some parameters from Structs.FlashInfo calldata info are not checked for valid values. For example: the attacker sends Structs.FlashInfo to calldata info, where he is specified as the address delegateHolder. The remaining parameters in Structs.FlashInfo calldata info are valid.
Proof of Concept
The StorageHelpers.revertNotOperator(accountOperator, info.delegateHolder) check (https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L390) checks whether msg.sender is trusted address for this accountOperator. However, the address provided by the attacker in the input parameter of the Structs.FlashInfo calldata info function is used as info.delegateHolder. Those. An attacker can specify himself as the owner of this FlashInfo in the input parameter of the flashloan() function. This will lead to the fact that an attacker can use any assets as a flashloan.
Tools Used
Manual review
Recommended Mitigation Steps
Before executing StorageHelpers.revertNotOperator(accountOperator, info.delegateHolder), you need to check that info.delegateHolder is a valid address for the given FlashInfo.
Assessed type
Invalid Validation