Closed c4-bot-1 closed 2 months ago
Provisionally marking as satisfactory
3docSec marked the issue as satisfactory
3docSec marked the issue as selected for report
This finding seems to come from a misunderstanding: params.nfpm
is an NFT contract, so it can't point to an ERC20 contract like WETH9
3docSec marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-06-krystal-defi/blob/f65b381b258290653fa638019a5a134c4ef90ba8/src/V3Automation.sol#L91-L168
Vulnerability details
Proof of Concept
Take a look at https://github.com/code-423n4/2024-06-krystal-defi/blob/f65b381b258290653fa638019a5a134c4ef90ba8/src/V3Automation.sol#L91-L168
Evidently at the final step of the execution this is being done.
NB: A similar logic could be applicable here.
Now note that from the readMe the below has been stated https://github.com/code-423n4/2024-06-krystal-defi/blob/f65b381b258290653fa638019a5a134c4ef90ba8/README.md#L101
Now whereas this would work normally on other chains if
WETH
or tokens like it is integrated and is being transferrred out, it would fail on the Arbitrum chain, which protocol plans to deploy on, this is because the transfer istransferFrom
and then passingaddressThis
as thefrom
, as hinted earlier on this would work fine on most chains (Ethereum, Optimism, Polygon, BSC) which uses the standardWETH9
contract that handles the case when src == msg.sender, i.e:The problem is that the WETH implementation on Arbitrum uses a different contract, and does not have this
src == msg.sender
handling, which makes the transfer attempt to always fail.Also, the issue is present both on Blast and Wrapped Fantom. ...just incase protocol decides on deploying there in the future.
Impact
Because the contract never approves itself to spend WETH, the token transfer line will always revert on Arbitrum when dealing with
WETH
Categorizing this as Medium given that it impacts the availability of
V3Automation#execute()
on the supported Arbitrum chain with WETH.Tool used
Recommended Mitigation Steps
Assessed type
Token-Transfer