Open sherlock-admin opened 4 months ago
The protocol team fixed this issue in the following PRs/commits: https://github.com/rio-org/rio-sherlock-audit/pull/5
Escalate I think this issue is low/informational for the following reasons:
1- There are no loss of funds here. If the USDT is picked then the underlying asset will not be possible to be added to LRT.
2- Current code is specifically for assets that has an EigenLayer strategy which there are no tokens like USDT.
3- Issuer contract is upgradable proxy, if the adding a new asset fails, then the new implementation can be used to add the asset to LRT.
Escalate I think this issue is low/informational for the following reasons:
1- There are no loss of funds here. If the USDT is picked then the underlying asset will not be possible to be added to LRT.
2- Current code is specifically for assets that has an EigenLayer strategy which there are no tokens like USDT.
3- Issuer contract is upgradable proxy, if the adding a new asset fails, then the new implementation can be used to add the asset to LRT.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Disagree with escalation, the argument is moot given it is explicitly stated in contest details that such tokens could be supported
Do you expect to use any of the following tokens with non-standard behaviour with the smart contracts?
- We plan to support tokens with no less than 6 decimals and no more than 18 decimals.
- Tokens may not return a bool on ERC20 methods (e.g. USDT)
- Tokens may have approval race protections (e.g. USDT)
Escalate I think this issue is low/informational for the following reasons:
1- There are no loss of funds here. If the USDT is picked then the underlying asset will not be possible to be added to LRT.
2- Current code is specifically for assets that has an EigenLayer strategy which there are no tokens like USDT.
3- Issuer contract is upgradable proxy, if the adding a new asset fails, then the new implementation can be used to add the asset to LRT.
USDT is mentioned as a supported asset in the documentation, also double checked by the sponsor, see #232
The issue will prevent the initial deposit, enabling inflation attack vectors.
The issue will prevent the initial deposit, enabling inflation attack vectors.
It will not allow USDT to be added, rather than enable inflation attack vectors.
I disagree with the escalation, the codebase will not be able to support planned functionality without loss of funds, so Medium is appropriate.
I disagree with the escalation, the codebase will not be able to support planned functionality without loss of funds, so Medium is appropriate.
there won't be any loss of funds tho. It is just simply USDT will not be added, tx will fail.
In which case, the issuer would be upgraded to support USDT.
I disagree with the escalation, the codebase will not be able to support planned functionality without loss of funds, so Medium is appropriate.
there won't be any loss of funds tho. It is just simply USDT will not be added, tx will fail.
right even setting 0 will break the tx, but it falls in the med severity according to the docs as core func is broken
Result: Medium Has duplicates
As noted above, breaks core functionality, hence Medium is appropriate.
The protocol team fixed this issue in PR/commit rio-org/rio-sherlock-audit#5.
Fixed forceApprove is now used
The Lead Senior Watson signed off on the fix.
fibonacci
medium
RioLRTIssuer::issueLRT reverts if deposit asset's approve method doesn't return a bool
Summary
Using
ERC20::approve
will not work with ERC20 tokens that do not return a bool.Vulnerability Detail
The contest's README states that tokens that may not return a bool on ERC20 methods (e.g., USDT) are supposed to be used.
The
RioLRTIssuer::issueLRT
function makes a sacrificial deposit to prevent inflation attacks. To process the deposit, it calls theERC20::approve
method, which is expected to return a bool value.Solidity has return data length checks, and if the token implementation does not return a bool value, the transaction will revert.
Impact
Issuing LRT tokens with an initial deposit in an asset that does not return a bool on an
approve
call will fail.POC
Add this file to the
test
folder. Run test withforge test --mc POC --rpc-url=<mainnet-rpc-url> -vv
.Code Snippet
https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTIssuer.sol#L172
Tool used
Manual Review
Recommendation
Use
forceApprove
from OpenZeppelin'sSafeERC20
library.