search

sherlock-audit / 2024-01-napier-judging

9 stars 6 forks source link

thisvishalsingh - thisvishalsingh - protocol rely on `balance` or `balanceOf` instead of internal accounting several times can lead to Donation Attack #121

Closed sherlock-admin closed 7 months ago

sherlock-admin commented 7 months ago

thisvishalsingh

medium

thisvishalsingh - protocol rely on balance or balanceOf instead of internal accounting several times can lead to Donation Attack

thisvishalsingh

medium

protocol rely on balance or balanceOf instead of internal accounting several times can lead to Donation Attack

Summary

Attackers can manipulate the accounting by donating tokens. In contract NapierPool.sol, TrancheRouter.sol, PeripheryPayments.sol, Tranche.sol rely on balance or balanceOf instead of internal accounting several times

Vulnerability Detail

a example from NapierPool::removeLiquidity : 

uint256 liquidity = balanceOf(address(this));
        (uint256 _totalUnderlying, uint256 _totalBaseLpt) = (totalUnderlying, totalBaseLpt);

        (underlyingOut, baseLptOut) = _burnLiquidity(totalUnderlying, totalBaseLpt, liquidity);
        if (underlyingOut == 0 && baseLptOut == 0) revert Errors.PoolZeroAmountsOutput();

Impact

Attackers can manipulate the accounting by donating tokens.

Code Snippet

https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierPool.sol#L273 https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierPool.sol#L608 https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L274 https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L282 https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L418 https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L444 https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L504 https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L577 https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L818 https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierRouter.sol#L508 https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/base/PeripheryPayments.sol#L27 https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/base/PeripheryPayments.sol#L42 https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L199

Tool used

Manual Review

Recommendation

Implement internal accounting instead of relying on balanceOf natively.

this-vishalsingh commented 7 months ago

@sherlock-admin Without any reason how you can close it?