search

code-423n4 / 2023-09-delegate-findings

2 stars 1 forks source link

An attacker can use the flashloan function with an invalid collateral asset #308

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L389

Vulnerability details

Impact

Function flashloan() (https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L389-L410) - allows delegate token owner or approved operator to borrow their underlying tokens for the duration of a single atomic transaction. The function uses Structs.FlashInfo calldata info as an input parameter. Failure to call revertNotMinted() may result in a call to flashloan() specifying an invalid collateral asset.

Proof of Concept

The attacker calls flashloan() with the input parameter Structs.FlashInfo calldata info. In the Structs.FlashInfo calldata info input parameter, it can specify any information. Nowhere is the existence of a given FlashInfo checked. For example, an attacker can call a flashloan with the maximum number of ERC20 tokens on the balance of the DelegateToken.sol contract

Tools Used

Manual review

Recommended Mitigation Steps

Add a call to the StorageHelpers.revertNotMinted() function after the line https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L390.

Assessed type

Invalid Validation

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Invalid