Closed sherlock-admin closed 1 year ago
The converter contract does not hold any funds and is only used transiently to conduct conversions from interest bearing assets to the underlying for a given market. As a result, even if the converter contract approves other assets, it isn't clear to me how that would result in user funds being at risk as a result.
To give extra flavour, the c
param is derived through the redeemer, meaning it cannot be manipulated
ctf_sec
high
Malicious actor can hijack to Converter execution flow and perform malicious approval in Converter.sol
Summary
Malicious actor can hijack to Converter flow and perform malicious approval.
Vulnerability Detail
Let us look into the implementation for converter.sol
note the external call without validation giving away the whole execution flow in the hand of hackers.
The hacker can use this contract to approve token allowance:
First the hacker deploy this contract,
then given the parameter,
hacker choose the address c as the address of the Hack contract.
the hacker needs to mint some token to bypass:
then code executes
this corresponds to:
Ok now the address pool is still the hack address.
then this is important.
The hacker can just pick a token address(u), then the contract pool, which is the hack address, have the spending power of amount a in Converter.sol.
Then the code executes:
In the contract hack, we do nothing:
Impact
Then any fund that is in Converter is not safe. Maybe when user redeem, the redeem call converter, the converter sliently fail in Compound redeem, the c token stucked in the contract.
I submitted another report explaining how compound redeem can fail silently:
https://github.com/sherlock-audit/2022-10-illuminate-ctf-sec/issues/5
Then after the hacker observe the stucked c token in the contract, he can call steal to complete the exploit
Code Snippet
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Converter.sol#L16-L35
Tool used
Manual Review
Recommendation
Whitelist the external contract in Converter.sol!