search

hats-finance / Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4

Other
1 stars 3 forks source link

`vaultTemplate` in CatalystFactory open for custom template while it should be whitelisted #51

Open hats-bug-reporter[bot] opened 5 months ago

hats-bug-reporter[bot] commented 5 months ago

Github username: @chainNue Twitter username: -- Submission hash (on-chain): 0x1a1db363e577dcc0f5fbb27046aa91672db60f847ba87e1398538508ffd0898c Severity: high

Description: Description\ Currently in CatalystFactory, the deployVault function accept any custom vaultTemplate address. This vaultTemplate should be a whitelist-ed address, in order to protect Catalyst from some issues.

when vaultTemplate accepting a custom address, without any validation, malicious user can gain advantage of Catalyst protocol.

Not sure how offchain vault listing works, but the vault discovery on Catalyst platform via event VaultDeployed will capture this custom vault.

also, the isCreatedByFactory will always true, for example in CatalystDescriber off-chain query, the get_factory_of_vault of this custom will return the valid CatalystFactory.

Attack Scenario\ One issue which clearly happen by providing custom vaultTemplate, is malicious user can skip paying fees (_defaultGovernanceFee)

  1. malicious user deploy a modified version of CatalystVaultCommon with a little modification for example 
    File: CatalystVaultCommon.sol
183:     function setup(
184:         string calldata name_,
185:         string calldata symbol_,
186:         address chainInterface,
187:         uint256 vaultFee,
188:         uint256 governanceFee,
189:         address feeAdministrator,
190:         address setupMaster
191:     ) initializer external override {
...
199:         _setGovernanceFee(0);
200:         _setFeeAdministrator(setupMaster);
...
206:     }
  2. next deploy CatalystVaultAmplified or CatalystVaultVolatile which inherits the custom CatalystVaultCommon above, save the deployed address.
  3. call deployVault in the CatalystFactory with the custom vaultTemplate above.

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional)

reednaa commented 5 months ago

Dublicate https://github.com/hats-finance/Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4/issues/12