Open hats-bug-reporter[bot] opened 2 weeks ago
inside the parentCollectionId(), the market contract could steal the funds since it is approved by the Alice
the market contract is just a value object, there isn't a single place on the codebase giving a Market
an approve()
to do something
hey.. sorry for this mistake.. its a to the rotuer.
inside the parentCollectionId(), the market contract could steal the funds since router is approved by the Alice
inside the parentCollectionId(), the market contract could steal the funds since router is approved by the Alice
The router is approved, not the market contract.
I think the hunter is confusing calls and delegateCall. The router calls the market contract, it doesn't delegate any call to the market.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x27e2ec75e3744e792932f97509b34aa418ba1f4f9d7e8450ae47caaf476288ef Severity: high
Description: Description
Through the router contract such as
GnosisRouter
users interact with deposit and split shares and other kind of operations.For example
splitFromBase
function.GnosisRouter.sol#L31-L35
This takes the user provided
market
argument as input.The function receives some xDAI (specified by msg.value) from the caller.
It deposits the received xDAI .
The deposited xDAI is converted into shares, which represent ownership of the deposit within the protocol.
These shares are then split or allocated to a specified Market using the _splitPosition function.
As we said, the
market
could be user given contract address wihch has any custom functionality._splitPosition
called with thismarket
contract address. The Router contract is approved by other users to spend the collateral tokens. Refer the transferfrom call insplitPosition
and other places.Router.sol#L50-L82
Some of the external call it makes is
market.parentCollectionId();
to get theparentCollectionId
. Nothe the caller will be Router contract in this case.For above sencaiton, when market is user given contract address, usign the some of custme functon, the approved funds could be stolen insidde the
parentCollectionId
or in any other external calls by the market contract.Attack Scenario\
Lets see followng case.
splitFromBase
functon with malicious market contract.parentCollectionId()
, the market contract could steal the funds since it is approved by the Alice to send by the rotuer. Note the caller would be router inside the market contract.parentCollectionId
could return validparentCollectionId
wihch is sufficinet to continue the function execution.We see in most of the places, the approved fund is not reset. following suggestions we would like to made.