search

code-423n4 / 2024-05-bakerfi-findings

4 stars 4 forks source link

Anyone can trigger flashloan to a strategy #27

Closed c4-bot-9 closed 5 months ago

c4-bot-9 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-05-bakerfi/blob/main/contracts/core/flashloan/BalancerFlashLender.sol#L98-L133

Vulnerability details

Proof of Concept

BalancerFlashLender is created to initiate flashloans from strategies. So when flashLoan is called, then BalancerFlashLender initiates flashloan on balancer with borrower as encoded data.

Then later balancer will call receiveFlashLoan and BalancerFlashLender will trigger vault with onFlashLoan callback.

First of all, flashloan can be initiated on balancer by anyone and even with amount 0. Also user can pass any data as userData. In our case, attacker will put address of Vault and additional params. He will provide BalancerFlashLender as recipient, so balancer will trigger BalancerFlashLender.

Then BalancerFlashLender will trigger vault, which was passed as borrower.

The check inside the vault will also pass and call will be considered valid. Now attacker can use own crafted data to execute smth with vault. For example, he can use _repayAndWithdraw to withdraw any profit from contract to own address.

Impact

Attacker can steal funds.

Tools Used

VsCode

Recommended Mitigation Steps

BalancerFlashLender should store some variable like: flashloanInitated, when someone requested flashloan through it. And then in case if balancer triggered receiveFlashLoan, BalancerFlashLender should check if the variable is indeed true and set it to false later.

Assessed type

Error

c4-judge commented 5 months ago

0xleastwood marked the issue as duplicate of #2

c4-judge commented 5 months ago

0xleastwood marked the issue as satisfactory

c4-judge commented 5 months ago

0xleastwood changed the severity to 2 (Med Risk)