Closed c4-bot-5 closed 5 months ago
By definition should have been sent at Med at most (conditional on external condition)
I'm not convinced this should be considered valid though as it fails to demonstrate how the approvals will lead to loss
GalloDaSballo marked the issue as insufficient quality report
Conditional on unknown 3rd party contract being exploited == invalid speculation. Valid as a systemic risk in analysis.
trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarm/PendlePowerFarmDeclarations.sol#L274-L354
Vulnerability details
Impact
Loss of protocol and user funds
Proof of Concept
Wiselending Protocol pre-approves some inter-protocol addresses in the PendlePowerFarmDeclarations contract´s constructor to provide smooth function flows and save gas.
However, this is an irreversible implementation as the approvals given to the addresses are not only the Wiselending contracts and they can´t be zeroed back.
It´s performed in the constructor by calling _doApprovals, and here´s the list of approved addresses;
We want to emphasize that the given approvals will be draining the contract when the third party address is exploited or they drain the Wiselending contract deliberately. It´s technically possible that the Pendle contracts´ owner can drain Wiselending.
As can be seen on the above approvals, PENDLE ROUTER is also among the approved addresses. When we check the router addresses of the Pendle, we see that they are proxies (1, 2) and implementation will vary according to the update. Without assessing the future implementation, it makes a gamble to approve these contracts with a maximum amount.
In addition, Pendle uses 1inch network for the
swap
functions which might also lead to drain the funds from Wiselending via executing an arbitrary call through 1inch when the code is updated.Moreover, there is no functionality to revoke these approvals. The pools could be paused by the
securityShutdown
call, however, this doesn´t prevent the funds from being withdrawn by the exploited protocols.Tools Used
Manual Review
Recommended Mitigation Steps
We recommend off-chain on-time approvals at the UI
OR
Approve the addresses at the protocol level only for the
_amount
being interacted with a gas cost tradeoff on L1.Assessed type
Other