Compromised Third-Party Protocols Can Pull All Assets From Balancer Vaults
Summary
Compromised third-party protocols (Balancer and Aura) can pull all assets from the balancer vaults as they were given unlimited allowance.
Vulnerability Detail
Note: The root cause, PoC, and mitigation actions are the same for both MetaStable2TokenAuraVault and Boosted3TokenAuraVault vaults. Thus, the write-up of Boosted3TokenAuraVault vault is omitted for brevity.
During the vault initialization, it was observed that the vault gives Balancer maximum allowance to spend its primary (WETH) and secondary (stETH) tokens and gives Aura Finance maximum allowance to spend the BAL tokens. This effectively gives Balancer and Aura Finance the ability to pull all tokens (WETH, stETH, BAL) from the vaults.
If Balancer or Aura Finance is compromised, all the tokens (WETH, stETH, BAL) within the vaults can be stolen since the compromised contracts can pull all the tokens from the vault and transfer them to the attacker's address.
By doing so, the security of the Notional's leverage vault is heavily dependent on the Balancer or Aura Finance. The vault should adopt the principle of least privileges by only allowing Balancer and Aura Finance to pull/access the required amount of assets needed to carry out its task. No more or less.
Giving a blanket-wide allowance to Balancer or Aura Finance breaks this security principle. The vault should not place its entire trust on Balancer or Aura Finance and assume that it will not ever be hacked.
Instead of giving third-party protocols (Balancer and Aura Finance) a maximum allowance to spend the assets on the vaults, consider granting the required amount of allowance when needed and revoking the allowance once it is no longer needed as shown below.
This approach has been implemented within the TradingUtils._executeInternal function by the Notional team. Therefore, the same approach should be adopted here.
If the purpose of granting unlimited allowance to Balancer and Aura is to save gas by not having to call the approve function every single time during deposit and redemption, the risks of a security incident and its consequences seriously outweigh the benefits of a slight gas saving.
xiaoming90
medium
Compromised Third-Party Protocols Can Pull All Assets From Balancer Vaults
Summary
Compromised third-party protocols (Balancer and Aura) can pull all assets from the balancer vaults as they were given unlimited allowance.
Vulnerability Detail
During the vault initialization, it was observed that the vault gives Balancer maximum allowance to spend its primary (WETH) and secondary (stETH) tokens and gives Aura Finance maximum allowance to spend the BAL tokens. This effectively gives Balancer and Aura Finance the ability to pull all tokens (WETH, stETH, BAL) from the vaults.
https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/MetaStable2TokenAuraVault.sol#L44
https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/internal/pool/TwoTokenPoolUtils.sol#L157
Impact
If Balancer or Aura Finance is compromised, all the tokens (WETH, stETH, BAL) within the vaults can be stolen since the compromised contracts can pull all the tokens from the vault and transfer them to the attacker's address.
By doing so, the security of the Notional's leverage vault is heavily dependent on the Balancer or Aura Finance. The vault should adopt the principle of least privileges by only allowing Balancer and Aura Finance to pull/access the required amount of assets needed to carry out its task. No more or less.
Giving a blanket-wide allowance to Balancer or Aura Finance breaks this security principle. The vault should not place its entire trust on Balancer or Aura Finance and assume that it will not ever be hacked.
Code Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/MetaStable2TokenAuraVault.sol#L44 https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/internal/pool/TwoTokenPoolUtils.sol#L157
Tool used
Manual Review
Recommendation
Instead of giving third-party protocols (Balancer and Aura Finance) a maximum allowance to spend the assets on the vaults, consider granting the required amount of allowance when needed and revoking the allowance once it is no longer needed as shown below.
This approach has been implemented within the
TradingUtils._executeInternal
function by the Notional team. Therefore, the same approach should be adopted here.If the purpose of granting unlimited allowance to Balancer and Aura is to save gas by not having to call the
approve
function every single time during deposit and redemption, the risks of a security incident and its consequences seriously outweigh the benefits of a slight gas saving.