RebaseHelperParams.rebaseHelperParams.helper is not whitelisted, which could lead to user mistakes or phishing attacks

[c4-bot-6]

Lines of code

https://github.com/code-423n4/2023-12-initcapital/blob/main/contracts/hook/MoneyMarketHook.sol#L53 https://github.com/code-423n4/2023-12-initcapital/blob/main/contracts/hook/MoneyMarketHook.sol#L257 https://github.com/code-423n4/2023-12-initcapital/blob/main/contracts/lending_pool/LendingPool.sol#L102

Vulnerability details

Impact

Users may have their funds stolen maliciously or by accident with a significant likelihood due to not using the correct rebase helper in the MoneyMarketHook.

Proof of Concept

Function execute() does not validate the helper sent as argument.

Here it transfers the funds directly to the helper.

Notice that the call would not revert as when depositing, no validation is performed against the actual deposited funds, it just deposits whatever is sent to the LendingPool. I can perform a POC if requested.

Tools Used

Vscode, Foundry

Recommended Mitigation Steps

Create a mapping for the helper for each token instead of sending as argument.

Assessed type

Access Control

[c4-judge]

hansfriese marked the issue as primary issue

[c4-sponsor]

fez-init (sponsor) confirmed

[hansfriese]

The impact is low because users might lose their funds by providing the wrong helper address. QA is more appropriate.

[c4-judge]

hansfriese changed the severity to QA (Quality Assurance)

[c4-judge]

hansfriese marked the issue as grade-a