search

code-423n4 / 2024-04-renzo-validation

2 stars 2 forks source link

[M-20] `withdrawQueue::getAvailableToWithdraw` - Reliance on token balance through `balanceOf` can lead to Donation Attacks #537

Closed c4-bot-6 closed 6 months ago

c4-bot-6 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/Withdraw/WithdrawQueue.sol?plain=1#L156-L162

Vulnerability details

Impact

The getAvailableToWithdraw function in the withdrawQueue contract relies on the balanceOf and balance values to determine the available balance for withdrawals. This reliance on token balances instead of internal accounting can be exploited by attackers through a donation attack.

Attackers can manipulate the accounting by donating tokens to the contract, potentially causing inconsistencies in the available balance for withdrawals and disrupting the normal functioning of the protocol.

Some Impacts of these donation attacks will be:

Inconsistent available balance: The donation attack can lead to inconsistencies in the available balance for withdrawals. If an attacker donates a large number of tokens to the contract, it will artificially inflate the available balance returned by the getAvailableToWithdraw function. This can cause confusion and discrepancies between the actual user balances and the available balance shown by the contract.

Disruption of withdrawals: The inflated available balance can disrupt the normal functioning of the withdrawal process. Users may be unable to withdraw their funds or may encounter errors when attempting to do so. This can lead to frustration, loss of trust, potential reputational damage to the protocol, and loss of funds for the users.

Proof of Concept

Bob observes that the withdrawQueue contract relies on balanceOf and balance to determine the available balance for withdrawals.

Bob donates a large amount of tokens to the withdrawQueue contract, artificially inflating the available balance.

When Alice attempts to withdraw her funds, the getAvailableToWithdraw function returns an incorrect value due to the inflated balance caused by Bob's donation.

This inconsistency in the available balance can lead to issues with Alice's withdrawal, potentially causing a denial of service, inability to withdraw or other unexpected behavior.

Tools Used

Manual Review

Recommended Mitigation Steps

Implement a more robust internal accounting system that keeps track of user balances and available funds separately from the token balances instead of relying on balanceOf natively. This internal accounting should be updated when users deposit or withdraw funds, ensuring that the available balance is accurately reflected and not affected by external donations.

Assessed type

Other

raymondfam commented 6 months ago

The protocol is going to thank Bob for his generous donation.

raymondfam commented 6 months ago

@howlbot reject