PossumLabsCrypto
commented
12 months ago answer provided in #56
Open hats-bug-reporter[bot] opened 12 months ago
PossumLabsCrypto
commented
12 months ago answer provided in #56
Github username: @hama-tech Twitter username: -- Submission hash (on-chain): 0x101bffd43f8e9a01a259918f615fbf2c383c04e14f1e011ad10c1e2d0f837c1c Severity: high
Description: Description
The convert function in the smart contract is susceptible to an attack where an attacker can manipulate the contract's state to withdraw more bTokens than intended.
The vulnerability arises from insufficient checks as an attacker can set _token to the address of bToken and transfer constant amount of PSM tokens, allowing him to potentially drain the entire balance of the specified bToken.
Attack Scenario
The attacker set _token to the address of bToken and transfers a constant amount of PSM tokens (AMOUNT_TO_CONVERT) to the contract. The contract, without proper validation, accepts the PSM token transfer. The contract then calculates the balance of the specified bToken and transfers the entire balance to the attacker.
The contract can receive PSM tokens during the funding phase and issues bTokens as receipt then bTokens can be redeemed against the fundingRewardPool which consists of PSM tokens which will cause theft of funds and a financial loss to the contract.
Attachments
https://github.com/hats-finance/Possum-Labs--Portals--0xed8965d49b8aeca763447d56e6da7f4e0506b2d3/blob/main/contracts/Portal.sol#L630
https://github.com/hats-finance/Possum-Labs--Portals--0xed8965d49b8aeca763447d56e6da7f4e0506b2d3/blob/main/contracts/Portal.sol#L645
Add a check to ensure that the transferred token is the expected bToken.