Attacker can approve any transfers from TrancheRouter to arbitrary addresses
Summary
By crafting malicious tranche contract attacker can pass it to TrancheRouter.issue method, approving any transfer of any ERC20 from TrancheRouter to arbitrary addresses.
We can craft contract on tranche address that will return malicious underlying parameter. We can also deploy crafted contract on specific address that is equal to TrancheAddress.computeAddress(...) — we know in advance all the parameters passed to this function.
After that the TrancheRouter approves transfers of underlying to tranche, these parameters can be manipulated in crafted contract, thus allowing attacker to approve transfers of any ERC20 in underlying from TrancheRouter to arbitrary address in tranche.
Impact
Possible stealing of funds from TrancheRouter by attacker
vvv
medium
Attacker can approve any transfers from TrancheRouter to arbitrary addresses
Summary
By crafting malicious
tranche
contract attacker can pass it toTrancheRouter.issue
method, approving any transfer of any ERC20 from TrancheRouter to arbitrary addresses.Vulnerability Detail
Let's examine the
issue
method. tWe can craft contract on
tranche
address that will return maliciousunderlying
parameter. We can also deploy crafted contract on specific address that is equal toTrancheAddress.computeAddress(...)
— we know in advance all the parameters passed to this function.After that the TrancheRouter approves transfers of
underlying
totranche
, these parameters can be manipulated in crafted contract, thus allowing attacker to approve transfers of any ERC20 inunderlying
fromTrancheRouter
to arbitrary address intranche
.Impact
Possible stealing of funds from TrancheRouter by attacker
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/TrancheRouter.sol#L38-L59
Tool used
Manual Review
Recommendation
Introduce more strict check for
tranche
address, store verifiedunderlying
andadapter
in contract storage.