Supported Features of 0x's Exchange Proxy Introduce Unnecessary Risks
Summary
Many supported features of 0x's Exchange Proxy can be utilized when executing a 0x trade within the leverage vault which will increase the possible attack surface significantly and increase the risk of the protocol being compromised.
Vulnerability Detail
Based on the environment setting provided by Notional, it was observed that the 0x DEX address points to 0x's Exchange Proxy. The 0x's Exchange Proxy supports many features including limit order trade. Refer to https://docs.0x.org/protocol/docs/exchange-proxy/features for a full list of supported features. The following is a non-exhaustive overview of features that may be registered/deployed on the Exchange Proxy:
NativeOrdersFeature
BatchFillNativeOrdersFeature
ERC721OrdersFeature / ERC1155OrdersFeature
TransformERC20Feature
MultiplexFeature
LiquidityProviderFeature
MetaTransactionsFeature
OtcOrdersFeature
UniswapFeature
PancakeSwapFeature
SimpleFunctionRegistryFeature
OwnableFeature
FundRecoveryFeature
The key security consideration of a leverage vault design is that the users can only execute actions authorized by Notional to mitigate the risks. However, the design of the 0x adaptor goes against this key security consideration, which will introduce many issues and risks to the protocol.
Impact
There are at least 10 features supported by 0x Exchange Proxy. This increases the possible attack surface significantly and increases the risk of the protocol being compromised.
It is recommended to prevent users from accessing other features such as LiquidityProviderFeature or OwnableFeature so that users are only restricted to the standard swap feature. By limiting the feature, it will be easier for Notional to restrict its users' interaction with 0x DEX. It is prudent to restrict the number of features that the users can possibly interact with the 0x DEX to reduce the risks.
xiaoming90
medium
Supported Features of 0x's Exchange Proxy Introduce Unnecessary Risks
Summary
Many supported features of 0x's Exchange Proxy can be utilized when executing a 0x trade within the leverage vault which will increase the possible attack surface significantly and increase the risk of the protocol being compromised.
Vulnerability Detail
Based on the environment setting provided by Notional, it was observed that the 0x DEX address points to 0x's Exchange Proxy. The 0x's Exchange Proxy supports many features including limit order trade. Refer to https://docs.0x.org/protocol/docs/exchange-proxy/features for a full list of supported features. The following is a non-exhaustive overview of features that may be registered/deployed on the Exchange Proxy:
The key security consideration of a leverage vault design is that the users can only execute actions authorized by Notional to mitigate the risks. However, the design of the 0x adaptor goes against this key security consideration, which will introduce many issues and risks to the protocol.
Impact
There are at least 10 features supported by 0x Exchange Proxy. This increases the possible attack surface significantly and increases the risk of the protocol being compromised.
Code Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/trading/adapters/ZeroExAdapter.sol#L7
Tool used
Manual Review
Recommendation
It is recommended to prevent users from accessing other features such as LiquidityProviderFeature or OwnableFeature so that users are only restricted to the standard swap feature. By limiting the feature, it will be easier for Notional to restrict its users' interaction with 0x DEX. It is prudent to restrict the number of features that the users can possibly interact with the 0x DEX to reduce the risks.