Description:Description\
Currently in CatalystFactory, the deployVault function accept any custom vaultTemplate address. This vaultTemplate should be a whitelist-ed address, in order to protect Catalyst from some issues.
when vaultTemplate accepting a custom address, without any validation, malicious user can gain advantage of Catalyst protocol.
Not sure how offchain vault listing works, but the vault discovery on Catalyst platform via event VaultDeployed will capture this custom vault.
also, the isCreatedByFactory will always true, for example in CatalystDescriber off-chain query, the get_factory_of_vault of this custom will return the valid CatalystFactory.
Attack Scenario\
One issue which clearly happen by providing custom vaultTemplate, is malicious user can skip paying fees (_defaultGovernanceFee)
malicious user deploy a modified version of CatalystVaultCommon with a little modification for example
Github username: @chainNue Twitter username: -- Submission hash (on-chain): 0x1a1db363e577dcc0f5fbb27046aa91672db60f847ba87e1398538508ffd0898c Severity: high
Description: Description\ Currently in CatalystFactory, the
deployVault
function accept any customvaultTemplate
address. ThisvaultTemplate
should be a whitelist-ed address, in order to protect Catalyst from some issues.when
vaultTemplate
accepting a custom address, without any validation, malicious user can gain advantage of Catalyst protocol.Not sure how offchain vault listing works, but the vault discovery on Catalyst platform via event
VaultDeployed
will capture this custom vault.also, the
isCreatedByFactory
will always true, for example inCatalystDescriber
off-chain query, theget_factory_of_vault
of this custom will return the validCatalystFactory
.Attack Scenario\ One issue which clearly happen by providing custom
vaultTemplate
, is malicious user can skip paying fees (_defaultGovernanceFee
)CatalystVaultCommon
with a little modification for exampleCatalystVaultCommon
above, save the deployed address.deployVault
in the CatalystFactory with the customvaultTemplate
above.Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)