search

code-423n4 / 2024-01-salty-findings

11 stars 6 forks source link

no receiver validation #884

Closed c4-bot-3 closed 7 months ago

c4-bot-3 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/Upkeep.sol#L112-L124

Vulnerability details

Impact

In function Upkeep.step2() that transfer 5% reward to the caller performUpkeep() no check that receiver == caller. It is possible to send reward to the wrong address.

Proof of Concept


    function step2(address receiver) public onlySameContract
        {
        uint256 withdrawnAmount = exchangeConfig.dao().withdrawArbitrageProfits(weth);
        if ( withdrawnAmount == 0 )
            return;

        // Default 5% of the arbitrage profits for the caller of performUpkeep()
        uint256 rewardAmount = withdrawnAmount * daoConfig.upkeepRewardPercent() / 100;

        // Send the reward
        weth.safeTransfer(receiver, rewardAmount); 
        }

Tools Used

Manual

Recommended Mitigation Steps

Add checks that receiver == caller

Assessed type

Other

c4-judge commented 7 months ago

Picodes marked the issue as unsatisfactory: Invalid