Issue:
Arbitrary from Address in transferFrom Function
The use of an arbitrary from address in the transferFrom calls within the uniswapV3MintCallback and uniswapV3SwapCallback functions could lead to unauthorised token transfers. This vulnerability may allow an attacker to transfer tokens from any address that has approved the contract, potentially resulting in the loss of funds without the token holder’s consent.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Deploy the SemiFungiblePositionManager contract.
Invoke the uniswapV3MintCallback or uniswapV3SwapCallback with a malicious payer address that has not authorised the contract to transfer tokens on its behalf.
Observe if the contract is able to transfer tokens from this unauthorised address.
Expected Result:
The transaction should pass due to lack of authorisation.
Tools Used
Manual review and Slither.
Recommended Mitigation Steps
Validate from Address:
Implement checks to ensure that the from address in the transferFrom calls is a trusted and verified address, not arbitrarily supplied by the user.
Access Controls:
Introduce role-based access control (RBAC) to restrict who can call sensitive functions like uniswapV3MintCallback and uniswapV3SwapCallback. Use modifiers.
c4-bot-2
commented
5 months ago
Lines of code
https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/SemiFungiblePositionManager.sol#L404-L428 https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/SemiFungiblePositionManager.sol#L437-L459
Vulnerability details
Impact
Detailed description of the impact of this finding.
Contract: SemiFungiblePositionManager.sol
Functions: uniswapV3MintCallback(uint256,uint256,bytes) uniswapV3SwapCallback(int256,int256,bytes)
Lines:
404-428
437-459
Issue: Arbitrary from Address in transferFrom Function
The use of an arbitrary from address in the transferFrom calls within the uniswapV3MintCallback and uniswapV3SwapCallback functions could lead to unauthorised token transfers. This vulnerability may allow an attacker to transfer tokens from any address that has approved the contract, potentially resulting in the loss of funds without the token holder’s consent.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Expected Result: The transaction should pass due to lack of authorisation.
Tools Used
Manual review and Slither.
Recommended Mitigation Steps
Validate from Address: Implement checks to ensure that the from address in the transferFrom calls is a trusted and verified address, not arbitrarily supplied by the user.
Access Controls: Introduce role-based access control (RBAC) to restrict who can call sensitive functions like uniswapV3MintCallback and uniswapV3SwapCallback. Use modifiers.
Assessed type
Access Control