Closed c4-bot-3 closed 9 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #20
0xA5DF changed the severity to QA (Quality Assurance)
0xA5DF marked the issue as grade-c
Moved the points to #277
0xA5DF marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/adapters/OceanAdapter.sol#L117-L119 https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/adapters/Curve2PoolAdapter.sol#L189-L192
Vulnerability details
Impact
The
OceanAdapter
is an abstract contract which is inherited by theCurve2PoolAdapter
contract and theCurveTricrypticAdapter
contract. TheOceanAdapter
contract has theonERC1155Received
function implemented as shown below:This indicates that the
OceanAdapter
contract or its children contracts can receive the ERC1155 tokens. But the issue here is that there is no logic implementation to withdraw theERC1155
tokens from theOceanAdapter
contract since theCurve2PoolAdapter
has functionality to approve (approve ocean and primitive contracts) only the ERC20 tokens to be withdrawn and not the ERC1155 tokens as shown below:As a result the
ERC1155
tokens transferred to theCurve2PoolAdapter
(child of the OceanAdapter) will get stuck in theCurve2PoolAdapter
since there is no approval to transfer them to either theocean contract or the primitive contract
. This could be loss of funds to the sender of theERC1155
tokens to theCurve2PoolAdapter
contract.Proof of Concept
https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/adapters/OceanAdapter.sol#L117-L119
https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/adapters/Curve2PoolAdapter.sol#L189-L192
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
Hence it is recommended to either to remove the
OceanAdapter.onERC1155Received
if the adapter contracts are not expected to receive theERC1155 tokens
or if the adapter contracts need to receive the ERC1155 tokens then it is required to implement the logic to approve the ERC1155 tokens in theCurve2PoolAdapter
to be transferred to the relevant recipient. And the relevant logic to transfer theERC1155
tokens from theCurve2PoolAdapter
should also be implemented in the respective contracts.Assessed type
Other