Function _validateCaller ensures that transformedTokenId the same with params.tokenId
This function is then used for validations in every related transformers functions:
AutoCompound.execute, AutoRange.execute, AutoRange.configToken, LeverageTransformer.leverageUp, LeverageTransformer.leverageDown,V3Utils.execute.
I think these are all functions needs this validation.
Suggestion
I think the function setOperator should also revert if the input operator is a vault:
function setOperator(address _operator, bool _active) public onlyOwner {
emit OperatorChanged(_operator, _active);
operators[_operator] = _active;
}
Because if a vault is also an operator, then attacker can call V3Vault.execute with malicious data
and _validateCaller is not called:
if (!operators[msg.sender]) {
if (vaults[msg.sender]) {
_validateCaller(nonfungiblePositionManager, params.tokenId);
} else {
revert Unauthorized();
}
}
Lines of code
Vulnerability details
C4 issue
H-03: V3Vault::transform does not validate the data input and allows a depositor to exploit any position approved on the transformer
Comment
In the original code, function
V3Vault.transform
does not validate the input data to call transformer:The transformers also don't validate call data, they will proceed as long as the caller is the vault, for example
AutoRange.execute
:Attacker can provide a different tokenId in call data and transform other users positions.
Mitigation
PR #29 The mitigation code implements validation for each transformer instead of validating it in
V3Vault
. A new function_validateCaller
is added:Function
_validateCaller
ensures that transformedTokenId the same with params.tokenId This function is then used for validations in every related transformers functions:AutoCompound.execute
,AutoRange.execute
,AutoRange.configToken
,LeverageTransformer.leverageUp
,LeverageTransformer.leverageDown
,V3Utils.execute
.I think these are all functions needs this validation.
Suggestion
I think the function
setOperator
should also revert if the input operator is a vault:Because if a vault is also an operator, then attacker can call
V3Vault.execute
with malicious data and_validateCaller
is not called:Conclusion
LGTM