Closed c4-bot-2 closed 6 months ago
0xRobocop marked the issue as sufficient quality report
0xRobocop marked the issue as primary issue
enthusiastmartin (sponsor) disputed
No issue at all. That's how substrate works with public functions.
Why would you bother with this - if you can call Balances::transfer, which is also public function.
See #131
OpenCoreCH marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/omnipool/src/lib.rs#L1958-L1961
Vulnerability details
Impact
In the
omnipool/src/lib.rs
, theset_position()
function is a public function defined in a Pallet implementation. Since this function is clearly marked public, it can be called outside the pallet. Hence any user or smart contract within the runtime can make a call toset_position()
and insert or update position with arbitrary position data.The function inserts or updates position with given position data.
With a combination of other vulnerable functions, a malicious user can manipulate the state of their position to their advantage to receive more funds in a remove_liquidity call.
Proof of Concept
https://github.com/code-423n4/2024-02-hydradx/blob/main/HydraDX-node/pallets/omnipool/src/lib.rs#L1958-L1961
In the PoC below, for a normal transaction, LP1 is expected to have a balance of 4840 tokens of the registered asset, and 203.921568627449 amount of LRNA
but when the LP1 calls Omnipool::set_position() function with the arbritary position data, the balance of the registered token for LP1 user will be 4900 amount of tokens and 222.852003235832 amount of LRNA token
This also affects the TVL of the pool.
Tools Used
Manual review
Recommended Mitigation Steps
Add an access control check to ensure the function can only be called by authorized accounts. If function is not necessary, remove it.
Assessed type
Access Control