Open hats-bug-reporter[bot] opened 4 months ago
I forgot to add that this will also retrieve the incorrect issuance fee.
This also happens in calculatePurchaseReturn
.
Both issues #61 and #62 are the same vulnerability, no need for separate reports.
Due to tests, it seems that owner uses bytes4(keccak256(bytes("_buyOrder(address, uint, uint)"))) = 0xebc8b020,
this one.
Check testInternalGetBuyFeesAndTreasuryAddresses_works
.
@0xmahdirostami
The owner can be anyone, they will compute the function signature correctly (without the spaces). It's fair to assume that.
It's not a big issue, but I think it's at least a low.
The owner can be anyone, they will compute the function signature correctly (without the spaces
yes you are right. thanks for commenting back.
we could always miss something
Github username: -- Twitter username: @EgisSec Submission hash (on-chain): 0xeecfcbb58197b0883b6accc49d4405ad10e34932f2636837974e9fb1857ba6b0 Severity: low
Description: Description\
BondingCurveBase_v1
uses_getFunctionFeesAndTreasuryAddresses
to get fee percentages from theFeeManager_v1
.FeeManager_v1
relies on the function selector to correctly guess the return the fees for that specific function and module.The issue is that
_getFunctionFeesAndTreasuryAddresses
is called with the incorrect function selector.The protocol uses:
bytes4(keccak256(bytes("_buyOrder(address, uint, uint)"))) = 0xebc8b020
,While the actual selector should be:
bytes4(keccak256(bytes("_buyOrder(address,uint256,uint256)"))); = 0xd88e833f
.The second one is the correct one, as
_buyOrder
function selector is exacltly0xd88e833f
.If we assume that the owner of
setCollateralWorflowFee
correctly uses the0xd88e833f
selector, then_buyOrder
won't work correctly asgetCollateralWorkflowFeeAndTreasury
will incorrectly returndefaultCollateralFee
instead of the real workflow fee that was set.Attack Scenario\
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Compute the function selector correctly:
return bytes4(keccak256(bytes("_buyOrder(address,uint256,uint256)")));