Any attacker can drain his deployed vault using a malicious vault template

[hats-bug-reporter[bot]]

Github username: @nuthan2x Twitter username: nuthan2x Submission hash (on-chain): 0x15ca4874ac37812e7a96cf9ea700212fac218ff387d7eda87c11ded74b6e0fae Severity: high

Description: Description\ The [CatalystFactory::deployVault] deploys a vault with assets, corresponding weights, name, symbol, fees, and a valut template address to point the clone proxy to. So, due to this improper validation of vault template, the attacker can abuse and deploy a vault with malicious code and can drain or self destruct to lock funds.

Attack Scenario\

• There is already a pool of WETH-USDC with 50-50 weight and it has 1 million liquidity.
• An attacker sees this and deploys a new vault that have higher vault fee than the already created vault. And also, the attacker will give custom rewards to the LP depositers, or even do vampire atatck like sushiswap, so LP will be migrated to this new vault that the attacker created.
• And after migartion, the atatcker can drain entire liquidity with custom function implementation.
• Or, can selfdestruct to make that implementation contract unusable.

Attachments

1. Proof of Concept (PoC) File See the latest version of POC at ==> https://gist.github.com/nuthan2x/7eac27f9554134f2fdb096e3567971fc

2. Revised Code File (Optional) look at @audit tags at ==> https://gist.github.com/nuthan2x/1156d411edf285284543eb30dd2bdf82

[reednaa]

There is a whitelist for template and cross-chain interface on the UI (not on the factory). Users shouldn't blindly trust any vault created by the factory. The reason why we allow anyone on the factory is for third parties to add their own templates to the protocol (and cross-chain interfaces) which they can custom whitelist on their UI. This simplifies event collection for Ethers v5

[0xfuje]

This is not my vulnerability, I just want to understand this better. If i'm correct in my assumptions: only vaults made from whitelisted templates will be shown in the UI to users? And the whitelisted templates are based on CatalystVaultAmplified, CatalystVaultVolatile, etc?

[reednaa]

Whitelisted templates AND whiteliste cross-chain interfaces.

Currently, the only 2 templates to be whitelisted are CatalystVaultAmplified and CatalystVaultVolatile. We have ideas for other templates in the future. We have already had third parties reach out with ideas for other templates. We want them to be able to develop and deploy these without our permission. We can then decide if we want to whitelist them on our ui or not.

The idea behind the cross-chain interface whitelist is that you can circumvent the Generalised Incentives implementation. Say you want to have a direct integration into Wormhole, LZ, or another AMB. Of course, you might also want different templates in that case.

[0xfuje]

Thanks for the comprehensive answer!