c4-bot-2
commented
4 months ago Discord id(s) for hunter(s): [object Object]
Closed c4-bot-6 closed 4 months ago
c4-bot-2
commented
4 months ago Discord id(s) for hunter(s): [object Object]
Lines of code
https://github.com/redacted-cartel/pirex-eth-contracts/blob/11f30c7e35b67d45deefe405c22a30f352bc5b21/src/PirexEth.sol#L460
Vulnerability details
I have identified a potential vulnerability related to the
feeAmountcalculation in theinstantRedeemWithPxEthfunction.Vulnerability:
The
instantRedeemWithPxEthfunction calculates thefeeAmountbased on theassetsparameter, which is provided by the user. This calculation does not include any upper limit, making it susceptible to an integer overflow attack. An attacker can exploit this vulnerability to create a largefeeAmount, leading to an overflow, and eventually, thepostFeeAmountcan become zero, allowing the attacker to redeem all thepxETHwithout paying any fees.Impact:
An attacker can exploit this vulnerability to drain the
pxETHbalance from the contract without paying the required fees, resulting in potential loss of funds.Exploitation:
An attacker can create a malicious transaction with an extremely large
assetsvalue to trigger an integer overflow in thefeeAmountcalculation. This will lead to a zero or near-zeropostFeeAmount, allowing the attacker to redeem all thepxETHwithout paying any fees.Recommendation:
To mitigate this vulnerability, implement a maximum limit on the
feeAmountbased on theassetsparameter. This can be done by either using themaxFeesmapping to check for any predefined maximum fees or by calculating the maximum allowed fee amount based on the remainingpxETHin the contract.Here is an example of how to implement the fix:
instantRedeemWithPxEthfunction to calculate themaxFeeAmount:feeAmountis less than or equal to themaxFeeAmountbefore proceeding with the redemption process:By implementing this fix, you can prevent the integer overflow attack and secure the smart contract against potential fee manipulation.