search

hats-finance / Blast-Futures-Exchange-0x97895c329b950755566ddcdad3395caaea395074

0 stars 0 forks source link

Vulnerability in withdrawTokensTo Function Allows Unauthorized Withdrawals to BFX Exchange #49

Open hats-bug-reporter[bot] opened 4 months ago

hats-bug-reporter[bot] commented 4 months ago

Github username: -- Twitter username: @recursiveAudit Submission hash (on-chain): 0xdc4c563b13ebcebd7a558df1c5dd3a4917e84ab4e51d486623be04def381667c Severity: medium

Description: Description\ In BfxVault:withdrawTokensTo() designed to allow the owner of the vault to withdraw tokens to a specified address. However, there's a vulnerability in the function where the owner can potentially bypass security measures by sending tokens directly to the BFX exchange contract address.

Attack Scenario\ Misuse of Functionality: The owner of the vault maliciously or mistakenly provides the BFX exchange contract address (to) as the destination for withdrawing tokens. This action is not intended, as funds should not be sent directly to the exchange contract from the vault.

Uneven Balance: Sending tokens directly to the BFX exchange contract could result in an uneven balance on the exchange, making it difficult to track and manage funds accurately. This imbalance could lead to operational issues, loss of funds, or incorrect accounting.

Exploitation: An attacker who gains control over the owner's account could exploit this vulnerability by forcing the withdrawal of tokens to the BFX exchange contract address, disrupting the balance and potentially causing financial harm or loss to the vault's operations.

Attachments

  1. Proof of Concept (PoC) File
 function withdrawTokensTo(uint256 amount, address to) external onlyOwner {
        require(amount > 0, "WRONG_AMOUNT");
        require(to != address(0), "ZERO_ADDRESS");
        emit WithdrawTo(to, amount);
        bool success = _makeTransfer(to, amount);
        require(success, "TRANSFER_FAILED");
    }
  1. Revised Code File (Optional)
 function withdrawTokensTo(uint256 amount, address to) external onlyOwner {
+    // include require statement which stops owner to transfer funds to himself or contract by miss.
+       require(to != address(bfx) && to != address(owner),"Amount cannot be sent to Bfx")
        require(amount > 0, "WRONG_AMOUNT");
        require(to != address(0), "ZERO_ADDRESS");
        emit WithdrawTo(to, amount);
        bool success = _makeTransfer(to, amount);
        require(success, "TRANSFER_FAILED");
    }
alex-sumner commented 4 months ago

Anyone can send funds directly to the exchange contract. This will not have any adverse effect on the functioning of the exchange.

The particular actions described here, sending funds from the vault to the exchange, require access to the private keys of the vault owner account.