Closed c4-bot-10 closed 6 months ago
Medium.
The same happens if you approve the attacker for an ERC20.
However, this is worth fixing imo. I think we can add specific selectors instead of allowing any call to be executed.
cryptotechmaker marked the issue as disagree with severity
dmvt marked the issue as primary issue
0xRektora (sponsor) confirmed
dmvt marked the issue as duplicate of #100
dmvt marked the issue as satisfactory
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/Magnetar.sol#L325-L333
Vulnerability details
Description
Magnetar
has a call where you can interact withOFT
contracts,Magnetar::_processOFTOperation
:_executeCall
simply does call on the target contract.The issue here is that there is no validation other than that the
_target
is whitelisted.A lot of functionality in
Magnetar
requires tokens, specificallySingularity
tokens to be whitelisted. They also require the user to approveMagnetar
to transfer these tokens as shown inMagnetarBaseModule::_extractTokens
. This is called on a singularity inMagnetarMintCommonModule::_lockOnTOB
.Therefore, any user that has an existing approval to
Magnetar
for their singularity (or any other whitelisted token) can have their approved tokens stolen.Impact
Any user that has an approval for
Magnetar
for any token that is whitelisted inMagnetar
can have their approved tokens stolen. Since some calls withinMagnetar
require this, it is likely this will affect users.This also affects any whitelisted tokens held by the
Magnetar
contract, but as it is only a helper contract not designed to hold any tokens this isn't as impactful.Proof of Concept
Test in
tap-token/test/MagnetarApproval.t.sol
:The full test setup can be found here.
Tools Used
Manual audit
Recommended Mitigation Steps
Consider removing the general
MagnetarAction.OFT
call. Most of the interactions with the contracts in the Tapioca ecosystem is already handled in the Magnetar module system which handles approvals and transfers.Assessed type
Access Control