Open c4-bot-6 opened 6 months ago
0xEVom marked the issue as sufficient quality report
0xEVom marked the issue as primary issue
kalinbas (sponsor) confirmed
jhsagd76 marked the issue as satisfactory
jhsagd76 marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Vault.sol#L497
Vulnerability details
Impact
Any account holding a position inside
V3Vault
can transform any NFT position outside the vault that has been delegated to Revert operators for transformation(AutoRange
,AutoCompound
and all other transformers that manage positions outside of the vault).The exploiter can pass any
params
at any time, affecting positions they do not own and their funds critically.Vulnerability details
In order to borrow from
V3Vault
an account must first create a collaterized position by sending his position NFT through thecreate()
functionAny account that has a position inside the vault can use the
transform()
function to manage the NFT, while it is owned by the vault:https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/V3Vault.sol#L497
The user passes an approved transformer address and the calldata to execute on it. The problem here is that the function only validates the ownership of the
uint256 tokenId
input parameter, however it never checks if thetokenId
encoded insidebytes calldata data
parameter belongs tomsg.sender
.This allows any vault position holder to call an allowed transformer with arbitrary params encoded as calldata and change any position delegated to that transformer.
This will impact all current and future transformers that manage Vault positions.
To prove the exploit I'm providing a coded POC using the
AutoCompound
tranformer.Proof of Concept
A short explanation of the POC:
Alice
is an account outside the vault that approves her positionALICE_NFT
to be auto-compounded by Revert controlled operators(bots)Bob
decides to act maliciously and transformAlice
positionBob
opens a position in the vault with hisBOB_NFT
so that he can calltransform()
Bob
callsV3Vault.transform()
withBOB_NFT
astokenId
param to pass validation but encodesALICE_NFT
inside dataBob
successfully transformsAlice
position with his paramsYou can add the following test to
V3Vault.t.sol
and runforge test --contracts /test/V3Vault.t.sol --mt testTransformExploit -vvvv
Since the exploiter can control the calldata send to the transformer, he can impact any approved position in various ways. In the case of
AutoCompound
it can be:swap0To1
&amountIn
parameters to execute swaps in unfavourable market conditions, leading to loss of funds or value extractionThose are only a couple of ideas. The impact can be quite severe depending on the transformer and parameters passed.
Tools Used
Manual Review, Foundry
Recommended Mitigation Steps
Consider adding a check inside
transform()
to make sure the providedtokenId
and the one encoded as calldata are the same. This way the caller will not be able to manipulate other accounts positions.Assessed type
Invalid Validation