Open c4-bot-10 opened 4 months ago
cryptotechmaker marked the issue as disagree with severity
Low/Invalid;
The issue seems a bit out of context. The link provided is from BaseTapiocaOmnichainEngine and there's no context provided from which part this is triggered on TapToken.
Also this would be possible only if the approve in pearlmit is done with a large enough deadline and amount someone else can exploit. All pearlmit approvals have a deadline associated with them.
dmvt marked the issue as primary issue
0xRektora marked the issue as agree with severity
0xRektora (sponsor) confirmed
I'd keep it as medium. Potential side effects might happen on current/future TOE tokens.
dmvt marked the issue as selected for report
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/tapiocaOmnichainEngine/BaseTapiocaOmnichainEngine.sol#L63-L67
Vulnerability details
Description
When transferring
TapToken
there is an extra check done inBaseTapiocaOmnichainEngine::transferFrom
:Here there's if the spender is not allowed, the allowance is checked in
Pearlmit
. The issue is that,Pearlmit
checkes the allowance againstmsg.sender
which in this case will be theTapToken
contract.Hence any user with a allowance to the
TapToken
contract inPearlmit
can have theirTAP
stolen.Impact
If a user has allowed
TapToken
to transferTapToken
throughPearlmit
, they can have all they have approved stolen. SinceTapToken
does a lot of token handling in composed messages this is likely to happen.Proof of Concept
Test in
tap-token/test/TapToken.t.sol
:Tools Used
Manual audit
Recommended Mitigation Steps
Consider not doing the fallback to
Pearlmit
intransferFrom
.Assessed type
Access Control