Open c4-bot-6 opened 4 months ago
cryptotechmaker marked the issue as disagree with severity
The last 2 seems possible only if you approve the attacker, which is valid even for any random ERC20
The first 1 can be an issue, but I don't think the severity should be H. Maybe Medium or Low. I'll let @0xRektora to confirm as well
While this is a valid finding, the probability of it happening are very low. Will still put it as medium
due to the nature of the issue.
MagnetarAction.TapToken integration will leave tokens stuck in Magnetar contract a lot of calls in MagnetarAction.Permit enables anyone to steal whitelisted tokens held by Magnetar (L-01 in QA report)
We don't actually use TapToken singular actions, instead we use the MagnetarOptionModule
. As for permits, we use TapiocaOmnichainEngine/OFT
for that.
The probability are very low because the flow of action taken to the casual user is dictated by a different code. While this is possible to happen it'd have to be an advanced user, who probably will batch the actions together of permitting/locking/sending the token to his address. The Tx will revert if those are not done in the same Tx using Magnetar batching
dmvt marked the issue as primary issue
0xRektora (sponsor) confirmed
dmvt changed the severity to 2 (Med Risk)
dmvt marked the issue as selected for report
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/Magnetar.sol#L199-L212 https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/Magnetar.sol#L304-L305
Vulnerability details
Description
This issue is a combination of three other issues:
MagnetarAction.TapToken
integration will leave tokens stuck inMagnetar
contractMagnetarAction.Permit
enables anyone to steal whitelisted tokens held byMagnetar
(L-01 in QA report)Magnetar
In short, the first issue describes that, due to how
MagnetarAction.TapToken
is setup, it will leave thetOLP
position a user creates throughTapiocaOptionBroker::participate
stuck in theMagnetar
contract. As it mints the position tomsg.sender
which will be theMagnetar
contract:The two following ones, describes how anyone can take any tokens that are in the
Magnetar
contract.Either by granting themselves permissions to transfer any whitelisted tokens in using
MagnetarAction.Permit
. Because of howMagnetarStorage::_checkSender
validates that the first argument in the calldata toMagnetarAction.Permit
is the same asmsg.sender
. This together with that a lot of the calls allowed throughMagnetarAction.Permit
(IYieldBox::setApprovalForAll
,IYieldBox::setApprovalForAsset
,IERC20::approve
, andIERC721::approve
) haveaddress to
i.e. the operator/approvee as the first argument. Hence any user can approve themselves to transfer tokens out of the contract.Or by using
MagnetarAction.OFT
. Which allows anyone to transfer tokens out ofMagnetar
(and steal any approved tokens toMagnetar
) since there is an unvalidated call done to any whitelisted contract inMagnetarAction.OFT
.The contract is not in itself supposed to hold any tokens hence in itself these issues are not that severe by themselves.
However these issues combined allows an attacker to steal the position completely. Since the first one makes the position be stuck in
Magnetar
and the two last ones makes it not actually stuck, but retrievable by anyone.Impact
If a user uses
MagnetarAction.TapToken
to create their position they can have their position and/or rewards stolen.Proof of Concept
Test in
tap-token/test/Magnetar.t.sol
, builds on the test described inMagnetarAction.TapToken
integration will leave tokens stuck inMagnetar
contract:Full test with setup can be found here.
Tools Used
Manual audit
Recommended Mitigation Steps
Consider implementing the mitigations described in the three mentioned referenced issues:
TapiocaOptionBroker::participate
andexerciseOption
. Similar to how it's done inTapiocaOptionLiquidityProvision::lock
.MagnetarAction.Permit
should work. As there is support in modules for a lot of the calls it is used for perhaps it is unnecessary to have.MagnetarAction.OFT
call. Most of the interactions with the contracts in the Tapioca ecosystem is already handled in the Magnetar module system which handles approvals and transfers.Assessed type
Invalid Validation