Closed sherlock-admin closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Invalid I believe the PoC is not proving the issue. If anything it seems to be correct that the announceStableDeposit()
function reverts accordingly represented by assertFalse(success)
cheatcode
high
Improper Validation in DelayedOrder's announceStableDeposit can Corrupt State via Calldata Padding
Summary
The announceStableDeposit function in the DelayedOrder smart contract is vulnerable to calldata padding attacks due to improper validation of the length and format of parameters passed to the function.
Vulnerability Detail
The announceStableDeposit function expects calldata containing three uint256 parameters - depositAmount, minAmountOut, and keeperFee. The function does not check that the calldata length or structure matches what is expected. An attacker can craft exploitational calldata with three valid uint256 values for the expected parameters, followed by additional padding bytes. When the contract parses this calldata, it interprets the extra padding data incorrectly, leading to corruption of critical state variables tracking deposits and balances.
PoC Test
Run the test using Foundry:
Impact
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L67
Tool used
Manual Review
Recommendation
Add calldata length and format checks