search

sherlock-audit / 2023-03-taurus-judging

4 stars 0 forks source link

mstpr-brainbot - Malicious keepers #168

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

mstpr-brainbot

high

Malicious keepers

Summary

A malicious keeper can advantage the swapForTau function and take the yield tokens to pocket instead of selling for TAU

Vulnerability Detail

There are no checks on keepers _minTauReturned and _yieldTokenAmount values. Malicious keeper can swap rewards with inputting the _minTauReturned as 0 and the swap the keeper does will be sandwitched since there are no slippage tolerance.


Example: 
Assume 1WETH = 1000TAU,
 
Keeper will give the _minTauReturned as 1. 
1 WETH will be sent to swap adapter contract after keeper tx. 
Since swap data also generated by keeper, keeper will only swap to achieve 1 TAU output. 
Rest of the WETH will be idle on swap contract. 
Then keeper will call the swap contract and pocket the remaining ETH since swap contract is sending the funds from its internal balance to msg.sender.

Impact

Code Snippet

https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/SwapHandler.sol#L45-L52

Tool used

Manual Review

Recommendation

Duplicate of #133

mstpr commented 1 year ago

Escalate for 10 USDC

https://github.com/sherlock-audit/2023-03-taurus-judging/issues/133 this finding is almost identical with this finding which is accepted as a valid finding. What is the reason mine is excluded ?

sherlock-admin commented 1 year ago

Escalate for 10 USDC

https://github.com/sherlock-audit/2023-03-taurus-judging/issues/133 this finding is almost identical with this finding which is accepted as a valid finding. What is the reason mine is excluded ?

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

hrishibhat commented 1 year ago

Escalation accepted

Considering this a duplicate of #133 under the malicious keeper reasoning. But as mentioned in 133 the keeper is trusted and not a valid issue.

sherlock-admin commented 1 year ago

Escalation accepted

Considering this a duplicate of #133 under the malicious keeper reasoning. But as mentioned in 133 the keeper is trusted and not a valid issue.

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.