Attacker can approve any transfers from TrancheRouter to arbitrary addresses
Summary
By crafting malicious tranche contract attacker can pass it to TrancheRouter.issue method, approving any transfer of any ERC20 from TrancheRouter to arbitrary addresses.
We can craft contract on tranche address that will return malicious underlying parameter. We can also deploy crafted contract on specific address that is equal to TrancheAddress.computeAddress(...) — we know in advance all the parameters passed to this function.
After that the TrancheRouter approves transfers of underlying to tranche, these parameters can be manipulated in crafted contract, thus allowing attacker to approve transfers of any ERC20 in underlying from TrancheRouter to arbitrary address in tranche.
Impact
Possible stealing of funds from TrancheRouter by attacker
vvv
medium
Attacker can approve any transfers from TrancheRouter to arbitrary addresses
Summary
By crafting malicious
tranchecontract attacker can pass it toTrancheRouter.issuemethod, approving any transfer of any ERC20 from TrancheRouter to arbitrary addresses.Vulnerability Detail
Let's examine the
issuemethod. tWe can craft contract on
trancheaddress that will return maliciousunderlyingparameter. We can also deploy crafted contract on specific address that is equal toTrancheAddress.computeAddress(...)— we know in advance all the parameters passed to this function.After that the TrancheRouter approves transfers of
underlyingtotranche, these parameters can be manipulated in crafted contract, thus allowing attacker to approve transfers of any ERC20 inunderlyingfromTrancheRouterto arbitrary address intranche.Impact
Possible stealing of funds from TrancheRouter by attacker
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/TrancheRouter.sol#L38-L59
Tool used
Manual Review
Recommendation
Introduce more strict check for
trancheaddress, store verifiedunderlyingandadapterin contract storage.