Open c4-bot-7 opened 4 months ago
H-01: V3Vault.sol permit signature does not check receiving token address is USDC
The issues comes from the fact that whenever permit2.permitTransferFrom is used in V3Vault, the original code doesn't check if the input token in permit is the same with the vault's asset token:
permit2.permitTransferFrom
V3Vault
permit
if (permitData.length > 0) { (ISignatureTransfer.PermitTransferFrom memory permit, bytes memory signature) = abi.decode(permitData, (ISignatureTransfer.PermitTransferFrom, bytes)); permit2.permitTransferFrom( permit, ISignatureTransfer.SignatureTransferDetails(address(this), assets), msg.sender, signature ); }
This allows the attacker to input any ERC20 token and proceed without actually transferring asset tokens to the vault.
PR #19 The code now checks if input token is the same with asset token every time permit2.permitTransferFrom is used:
if (permitData.length != 0) { (ISignatureTransfer.PermitTransferFrom memory permit, bytes memory signature) = abi.decode(permitData, (ISignatureTransfer.PermitTransferFrom, bytes)); if (permit.permitted.token != asset) { revert InvalidToken(); } permit2.permitTransferFrom( permit, ISignatureTransfer.SignatureTransferDetails(address(this), assets), msg.sender, signature ); }
The mitigation resolved the original issue.
LGTM
jhsagd76 marked the issue as satisfactory
Lines of code
Vulnerability details
C4 issue
H-01: V3Vault.sol permit signature does not check receiving token address is USDC
Comment
The issues comes from the fact that whenever
permit2.permitTransferFrom
is used inV3Vault
, the original code doesn't check if the input token inpermit
is the same with the vault's asset token:This allows the attacker to input any ERC20 token and proceed without actually transferring asset tokens to the vault.
Mitigation
PR #19 The code now checks if input token is the same with asset token every time
permit2.permitTransferFrom
is used:The mitigation resolved the original issue.
Conclusion
LGTM