Closed c4-bot-9 closed 3 months ago
cryptotechmaker marked the issue as disagree with severity
Medium; the attack is possible only if the victim gives approval to the attacker
dmvt marked the issue as duplicate of #172
dmvt changed the severity to 2 (Med Risk)
dmvt marked the issue as satisfactory
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/tapiocaOmnichainEngine/BaseTapiocaOmnichainEngine.sol#L60-L74
Vulnerability details
Description
The function
BaseTapiocaOmnichainEngine::transferFrom()
is a modified version of the well-known functionERC20::transferFrom()
with slight alterations to accommodate thepearlmit
contract.In the scenario where the allowance of the
from
address with respect to themsg.sender
is less than the transfer amountvalue
, the function invokespearlmit.transferFromERC20(from, to, address(this), value)
to execute the token transfer. However, a vulnerability arises as there is no check for permission between thefrom
address and themsg.sender
.The attacker can arbitrarily set the
from
address to one that has:BaseTapiocaOmnichainEngine
in the pearlmit contract, andBaseTapiocaOmnichainEngine.allowance(from, pearlmit) > 0
.Additionally, the attacker can set the
to
address to their own address. By doing so, all tokens from thefrom
address will be stolen by the attacker.Impact
Attacker can steal Tap tokens from other users
Tools Used
Manual review
Recommended Mitigation Steps
Consider removing the logic with the pearlmit contract in the function
transferFrom()
Assessed type
Access Control