search

code-423n4 / 2024-05-loop-findings

4 stars 4 forks source link

Insufficient Validation of _validateData funcion #76

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://vscode.dev/github/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L414

Vulnerability details

Impact

The _validateData function conducts preliminary checks on certain parameters, including the input token, input amount, and the selector. However, it is important to note that this function does not extend its validation to verify the integrity of the swap path or to confirm the accuracy of the amounts received post-swap.

The absence of comprehensive validation measures could potentially expose the contract to security vulnerabilities, particularly in scenarios where the data provided by the 0x API is inaccurate or subject to manipulation.

 function _validateData(address _token, uint256 _amount, Exchange _exchange, bytes calldata _data) internal view {
        address inputToken;
        address outputToken;
        uint256 inputTokenAmount;
        address recipient;
        bytes4 selector;

        if (_exchange == Exchange.UniswapV3) {
            (inputToken, outputToken, inputTokenAmount, recipient, selector) = _decodeUniswapV3Data(_data);
            if (selector != UNI_SELECTOR) {
                revert WrongSelector(selector);
            }
            // UniswapV3Feature.sellTokenForEthToUniswapV3(encodedPath, sellAmount, minBuyAmount, recipient) requires `encodedPath` to be a Uniswap-encoded path, where the last token is WETH, and sends the NATIVE token to `recipient`
            if (outputToken != address(WETH)) {
                revert WrongDataTokens(inputToken, outputToken);
            }
        } else if (_exchange == Exchange.TransformERC20) {
            (inputToken, outputToken, inputTokenAmount, selector) = _decodeTransformERC20Data(_data);
            if (selector != TRANSFORM_SELECTOR) {
                revert WrongSelector(selector);
            }
            if (outputToken != ETH) {
                revert WrongDataTokens(inputToken, outputToken);
            }
        } else {
            revert WrongExchange();
        }

        if (inputToken != _token) {
            revert WrongDataTokens(inputToken, outputToken);
        }
        if (inputTokenAmount != _amount) {
            revert WrongDataAmount(inputTokenAmount);
        }
        if (recipient != address(this) && recipient != address(0)) {
            revert WrongRecipient(recipient);
        }
    }

However, it is important to note that this function does not extend its validation to verify the integrity of the swap path or to confirm the accuracy of the amounts received post-swap.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

Tools Used

Manual

Recommended Mitigation Steps

Validate the swap path to ensure it only includes trusted tokens and exchanges. Verify the amounts received post-swap match the expected minimums or estimates.Introduce a minBuyAmount parameter to the claim and claimAndStake functions to set a floor for acceptable ETH received. This parameter should be carried through the _validateData and _fillQuote functions to prevent swaps below the minimum threshold.

Assessed type

Invalid Validation

0xd4n1el commented 4 months ago

0x API gives quotes that are then respected. Validating whole paths is unfeasible due to gas limits. PoC for other vulnerabilities is not provided.

c4-judge commented 3 months ago

koolexcrypto marked the issue as primary issue

c4-judge commented 3 months ago

koolexcrypto marked the issue as unsatisfactory: Invalid