Closed sherlock-admin closed 6 months ago
We do not consider this to be a bug. Our frontend helps users correctly use a proxy to handle transactions, allowing transfer and swap to occur within the same transaction. Transfer and swap should not and cannot be separated. If a user merely transfers tokens into the pool but does not call the swap function, it is irresponsible behavior towards their own funds.
See comments here. Additionally GSPTrader.sol
is not meant to hold funds since any excess from swap will be refunded to user.
pinalikefruit
high
Anyone can steal the base/quote token that is sent to
GSP.sol
Summary
If a user transfers base/quote tokens to swap on
GSPTrader.sol::sellBase()
,GSPTrader.sol::sellQuote()
orGPSFuding.sol::buyShares()
. Once the transfer is made, anyone can steal the assets sent.Vulnerability Detail
The vulnerability is detected in three specific functions:
GSPTrader.sol::sellBase(
),GSPTrader.sol::sellQuote()
, andGPSFuding.sol::buyShares()
and occurs when a user wants to buy some shares or make swap for its token.When this happens, ownership of the token passes to the malicious actor. As a result, the malicious actor can sell any of these tokens and send them to his wallet or exchange them for shares and then, if he wishes, sell this share and receive the corresponding amount of tokens. Therefore, the user loses everything.
PoC
To replicate this vulnerability, use the same testing environment as the DODO team. Run the following script with
forge test --mt getShare --fork-url $ETH_RPC_URL -vvv
.This script demonstrates the sequence of events post-user transfer, culminating in the attacker buying shares with the transferred amount.
Impact
The impact of this vulnerability is high. Users are at risk of losing their deposited funds entirely.
Code Snippet
The affected code sections can be viewed at the following GitHub links:
Tool used
Recommendation
To mitigate this risk, it is essential to implement a robust deposit tracking system. This system should ensure that only users who have made prior deposits can execute trades or buy shares.