Closed howlbot-integration[bot] closed 3 months ago
It is not clear how this can be used for malicious operations
koolexcrypto marked the issue as primary issue
koolexcrypto changed the severity to QA (Quality Assurance)
koolexcrypto marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L448-L464
Vulnerability details
Impact
Users can skip the checks for
inputToken
andoutputToken
in_validateData()
because of the wrong assumption that the variables are always constant in places to steal tokens on the amount of any unused approvals to 0x.Proof of Concept
On the
Exchange.UniswapV3
route, there are checks that only allowinputToken
to be equal to_token
andoutputToken
to be equal WETH:https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L412-L435
_decodeUniswapV3Data
uses the constant addressadd(p, 96)
to get the beginning (length) of theencodedPath
variable:https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L448-L464
But this address is dynamic, and it is encoded as the first word in the calldata.
The calldata will be sent to the following function on the 0x side after the validation:
https://github.com/0xProject/protocol/blob/e66307ba319e8c3e2a456767403298b576abc85e/contracts/zero-ex/contracts/src/features/UniswapV3Feature.sol#L107-L126
For example, let's take the following valid calldata (without the signature):
Here, the result of
_decodeUniswapV3Data()
will be:sellTokenForEthToUniswapV3()
will interpret the calldata as:As you can see in the calldata bytecode above, the first word contains the address of
encodedPath
,80
. And if we change it toe0
and append the calldata with another bytes structure similar to the previousencodedPath
:The result of the
_decodeUniswapV3Data()
will still be the same, and the verification will be successfully passed because it refers to the oldencodedPath
:But
sellTokenForEthToUniswapV3()
will now refer to the newencodedPath
, interpreting the calldata as:It's possible to pass any variation of
encodedPath
.Tools Used
Manual review
Recommended Mitigation Steps
Read the first word of the calldata to get the address of
encodedPath
.Assessed type
Invalid Validation