Open hats-bug-reporter[bot] opened 1 month ago
Those shares split using a lower valued sDAI won't be redeemable for sDAI later, check conditional tokens implementation
I couldn't see any issue explained in the report. We could in the future support other ERC20 tokens.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x8943e675d42c9026a1d7cf189ec14545b4cd62157368fb9aab1282a7cec984ac Severity: medium
Description: Description\ The
Router.sol
contract is inherited and used by other router contracts. However, whenRouter.sol
is inherited by the Gnosis and Mainnet routers, the publicsplitPosition
function is still exposed, and there is no access control in place for the use ofsDAI
in this function. As a result, an attacker can perform thesplitPosition
operation using any token of their choice that is valued lower thansDAI
.Proof of Concept (PoC)
Public
splitPosition
function inRouter.sol
;And the operations in the internal function goes like this;
There is no place to revert; even if there were specific functions for
sDAI
, the attacker could deploy the same contract themselves and trick it.Recommendation
The Mainnet and Gnosis routers already have customized implementations, but if you want to continue supporting the use of a common public function, you can enforce the
sDAI
addresses for both networks by implementing achainid
check in the publicsplitPosition
function.