Closed c4-bot-10 closed 3 months ago
dmvt marked the issue as duplicate of #72
dmvt marked the issue as duplicate of #120
dmvt marked the issue as selected for report
dmvt marked issue #142 as primary and marked this issue as a duplicate of 142
dmvt marked the issue as satisfactory
Lines of code
https://github.com/Tapioca-DAO/tap-token/blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/tokens/TapTokenReceiver.sol#L176 https://github.com/Tapioca-DAO/tap-token/blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/tokens/TapTokenReceiver.sol#L140-L141
Vulnerability details
Description
In
TapToken
there is a feature that you can interact withTwTAP
cross chain, participate, claim rewards and exit a position.The issue is that, in
TwTAP
to claim rewards and exit a position, the caller doing the actions needs to be approved by the owner,twTAP::_requireClaimPermission
:In this case, the caller will be the TapOFT contract
Once the rewards are claimed by the TapOFT contract they are transferred back cross chain to an address provided by the caller,
TapTokenReceiver::_claimTwpTapRewardsReceiver
:and the same for
exitPosition
,TapTokenReceiver::_unlockTwTapPositionReceiver
:Hence an attacker can spot a user that has an existing approval for their
TwTAP
position and steal their rewards or their whole position if it is expired.Impact
Any user that has an existing approval to
TwTAP
can have their rewards stolen by anyone or position stolen upon expiry.Now, a user can mitigate this by grouping their claim/exit with a permit transaction, only granting the next call the allowance to transfer, then "unpermitting".
The issue is that, as shown by Trust Security here: https://www.trust-security.xyz/post/permission-denied this permit transaction can be forced to revert by executing it early.
Since the allowance is then there, the attacker can simply do their own cross chain claim/exit and that way steal the victims rewards/position.
Proof of Concept
PoC showing how it works with
claimRewards
With just a few changes to the existing testtap-token/test/TapToken.t.sol::test_claim_rewards
:Tools Used
Manual audit
Recommended Mitigation Steps
Consider adding a check in
TapTokenReceiver
that the user calling,_srcChainSender
, is approved.Assessed type
Access Control