search

code-423n4 / 2024-02-wise-lending-findings

8 stars 6 forks source link

The calls in Curve finance pools are done in an unsafe manner #266

Closed c4-bot-1 closed 3 months ago

c4-bot-1 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseSecurity/WiseSecurity.sol#L193-L232 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseSecurity/WiseSecurity.sol#L225-L227

Vulnerability details

The protocol is doing external calls on curve pools as a security measures. However the calls are done in an unsafe manner, this is important as every curve pool have different code and they are not standardized. Multiple problems can arise form unsafe external calls threated this way:

  1. Execution will fail however the transaction will not revert as the failed execution will only return a false.
  2. The returned data amount is bigger then what the stack can hold and it will run in an out of gas scenario.

    Impact

    Posibile DOS or other unexpected events as transaction failing but call have succeded.

Proof of Concept

Tools Used

Manual Review

Recommended Mitigation Steps

  1. Wrap the call to curve pools in a YUL low level external call OR
  2. Wrap the call to curve pools in a function similar to _callOptionalReturn that you are already using for tokens transfers and validate the returned data

Assessed type

Context

GalloDaSballo commented 4 months ago

OOS from bot + simply invalid

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseSecurity/WiseSecurity.sol#L229C9-L229C22

c4-pre-sort commented 4 months ago

GalloDaSballo marked the issue as insufficient quality report

c4-judge commented 3 months ago

trust1995 marked the issue as unsatisfactory: Invalid