hats-finance / Blast-Futures-Exchange-0x97895c329b950755566ddcdad3395caaea395074

0 stars 0 forks source link

Incorrect Handling of External Call Return Data #55

Open hats-bug-reporter[bot] opened 9 months ago

hats-bug-reporter[bot] commented 9 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x11d034aae0f0234004abf3970f9991a855b3f38ed43776f5a2b39d275f134e37 Severity: low

Description: Description:

The vulnerability in question arises from the incorrect handling of external call return data within the tokenCall function of the PoolDeposit smart contract. This function attempts to interact with an external contract (paymentToken) and determines the success of this interaction based solely on the presence of non-empty return data. This flawed logic assumes that any non-empty return data signifies a successful operation, disregarding the actual boolean success indicator. This can lead to the smart contract erroneously considering failed operations as successful if malicious or poorly designed external contracts return any non-empty data.

Attack Scenario:

An attacker exploits this vulnerability by creating a contract (MaliciousContract) designed to always return non-empty data that decodes to a true boolean value, regardless of the actual execution success. The attacker then interacts with the vulnerable contract, triggering the tokenCall function to call MaliciousContract. Since tokenCall interprets any non-empty return data as success, it can be misled into treating the operation as successful even when it's not, potentially leading to unintended state changes or asset transfers in the attacker's favor.

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional)

Files:

alex-sumner commented 9 months ago

This attack requires the attacker to change the token contract to a malicious contract. This cannot be done without access to the private keys of the owner account.