Open hats-bug-reporter[bot] opened 6 months ago
There is a whitelist for template and cross-chain interface on the UI (not on the factory). Users shouldn't blindly trust any vault created by the factory. The reason why we allow anyone on the factory is for third parties to add their own templates to the protocol (and cross-chain interfaces) which they can custom whitelist on their UI. This simplifies event collection for Ethers v5
This is not my vulnerability, I just want to understand this better. If i'm correct in my assumptions: only vaults made from whitelisted templates will be shown in the UI to users? And the whitelisted templates are based on CatalystVaultAmplified, CatalystVaultVolatile, etc?
Whitelisted templates AND whiteliste cross-chain interfaces.
Currently, the only 2 templates to be whitelisted are CatalystVaultAmplified and CatalystVaultVolatile. We have ideas for other templates in the future. We have already had third parties reach out with ideas for other templates. We want them to be able to develop and deploy these without our permission. We can then decide if we want to whitelist them on our ui or not.
The idea behind the cross-chain interface whitelist is that you can circumvent the Generalised Incentives implementation. Say you want to have a direct integration into Wormhole, LZ, or another AMB. Of course, you might also want different templates in that case.
Thanks for the comprehensive answer!
Github username: @nuthan2x Twitter username: nuthan2x Submission hash (on-chain): 0x15ca4874ac37812e7a96cf9ea700212fac218ff387d7eda87c11ded74b6e0fae Severity: high
Description: Description\ The [CatalystFactory::deployVault] deploys a vault with assets, corresponding weights, name, symbol, fees, and a valut template address to point the clone proxy to. So, due to this improper validation of vault template, the attacker can abuse and deploy a vault with malicious code and can drain or self destruct to lock funds.
Attack Scenario\
WETH-USDC
with 50-50 weight and it has 1 million liquidity.Attachments
Proof of Concept (PoC) File See the latest version of POC at ==> https://gist.github.com/nuthan2x/7eac27f9554134f2fdb096e3567971fc
Revised Code File (Optional) look at @audit tags at ==> https://gist.github.com/nuthan2x/1156d411edf285284543eb30dd2bdf82