search

code-423n4 / 2024-01-opus-findings

0 stars 0 forks source link

The melt() function in the Abbot contract allows anyone to repay a user's debt. #172

Closed c4-bot-8 closed 7 months ago

c4-bot-8 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/abbot.cairo#L222

Vulnerability details

Impact

Allowing anyone to call the melt() function on a trove can be dangerous. The major impact is that it allows an unauthorized party to repay the debt (by destroying Yin) of a user's trove, potentially without the user's consent or knowledge. The severity of this issue is high because it can lead to the following consequences:

  1. Unintended debt repayment: An attacker could target a specific user and repay their debt, potentially disrupting their financial strategy or causing them to lose collateral they had locked in the trove.
  2. Denial of service (DoS): An attacker could repeatedly call melt() on a user's trove, effectively preventing the user from managing their own debt and collateral. 3.Financial loss: If an attacker times their melt() calls correctly, they could cause the user to lose their collateral by repaying debt at unfavorable times or in unfavorable market conditions.

Proof of Concept

The melt() function in the Abbot contract allows anyone to repay a user's debt. Here is a more detailed explanation: The melt() function is defined as:

   fn melt(ref self: ContractState, trove_id: u64, amount: Wad) {
     // note that caller does not need to be the trove's owner to melt
     self.shrine.read().melt(get_caller_address(), trove_id, amount); 
   }

The key thing to note is that there is no check that the caller is the trove owner. get_caller_address() simply returns whoever called the function. This means anyone can call melt() and repay debt in any trove by passing in the trove_id.

Tools Used

Manual

Recommended Mitigation Steps

melt() should check that get_caller_address() == self.trove_owner.read(troveId), ensuring only a trove's owner can repay its debt

Assessed type

Other

tserg commented 8 months ago

This is intended. Repaying a trove's debt cannot worsen the trove's health, and hence it is impossible for the trove owner to lose out since he is essentially getting a donation.

c4-pre-sort commented 7 months ago

bytes032 marked the issue as insufficient quality report

alex-ppg commented 7 months ago

The Warden specifies how debt repayment should solely be open to the owner of the debt themselves.

As the Sponsor denotes, there is no negative side-effect of this; whether the debt is repaid at a "bad" time or not a non-zero debt repayment results in a net positive for the indebted.

c4-judge commented 7 months ago

alex-ppg marked the issue as unsatisfactory: Invalid