Closed sherlock-admin2 closed 7 months ago
2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Low. As I understand it the contract is not expected to hold funds. Even if somebody sent in a mistake it wouldn't be his fault. I don't think the report qualifies for Medium but you can escalate if you want.
0xAadi commented:
Invalid: There will not have any dust
Escalate I accept that the contract is designed not to hold funds as expected, and there is no responsibility to be assumed if someone mistakenly sends native currency to this contract.
However, my concern in this issue is that as the description of the code at this refund any remaining ETH to the fillers
, The fillers who do some work like the order-maker for the platform and are expected to run an off-chain logic, and pick orders, that are profitable for them to execute. They probably should be incentive from that locked funds, not anyone who just deploys any ERC20 token then directly call to the GladiusReactor
without any works for platform and steal that funds.
File: BaseGladiusReactor.sol
// refund any remaining ETH to the filler. Only occurs when filler sends more ETH than required to
// `execute()` or `executeBatch()`, or when there is excess contract balance remaining from others
// incorrectly calling execute/executeBatch without direct filler method but with a msg.value
Another issue arises during the verification step of the order, where the input token and output token are allowed to be the same.
Thank you for taking the time to address this matter.
Escalate I accept that the contract is designed not to hold funds as expected, and there is no responsibility to be assumed if someone mistakenly sends native currency to this contract.
However, my concern in this issue is that as the description of the code at this refund any remaining ETH to the fillers, who are do some work like the order-maker for the platform and expected to run an off-chain logic, and pick orders, that are profitable for them to execute. should be incentive from that locked funds, not anyone who just deploys any ERC20 token then directly call to the GladiusReactor without any works for platform and steal that funds.
File: BaseGladiusReactor.sol // refund any remaining ETH to the filler. Only occurs when filler sends more ETH than required to //
execute()
orexecuteBatch()
, or when there is excess contract balance remaining from others // incorrectly calling execute/executeBatch without direct filler method but with a msg.value Another issue arises during the verification step of the order, where the input token and output token are allowed to be the same.Thank you for taking the time to address this matter.
The escalation could not be created because you are not exceeding the escalation threshold.
You can view the required number of additional valid issues/judging contest payouts in your Profile page, in the Sherlock webapp.
merlinboii
medium
Draining Remaining Native Tokens with Dust Spending
Summary
The remaining native token balance can be drained by directly swapping order with dust amount through
GladiusReactor
contract.Vulnerability Detail
The execution functions of
GladiusReactor
contract allow public calls by anyone and theGladiusReactor
can receive native token to support the following cases:execute()
orexecuteBatch()
execute()
/executeBatch()
without direct filler method but with a msg.valueThe ALL remaining native tokens are intended to be refunded to the filler contract at that time (as mentioned in the code snippet below, which are expected to rightfully execute the valid order queried from off-chain.
Moreover, the resolve order process does not validate the order's input and output token. This allows the malicious swapper can directly execute the
input token = output token
order with a dust swapping amount.By doing so, they can retrieve all remaining native tokens in the
GladiusReactor
contract while reducing the initial amount required to perform the token draining and minimizing the fee charge.BaseGladiusReactor.sol#L245 - 250
Proof of Concept
The
test_Gain_Remaining_GladiusNativeBalance_Via_Swap_Dust
test case shows that a malicious swapper can execute an order where the input token is the same as the output token.As a result, the swapper's balance after executing the order being reduced by only the fee incurred during the process.
However, the malicious swapper executes the same-token order swap with a DUST amount to minimize the fee charge.
Consequently, they drain all the remaining native tokens in the
GladiusReactor
contract by using the DUST spending.The following is the test script and its result. The test can be put and run by following.
The
test_Gain_Remaining_GladiusNativeBalance_Via_Swap_Dust
testGist: https://gist.github.com/filmptz/9fcce58d764fc85560f40919b4b862c3
The Result of PoC
Impact
The complete loss of all remaining native token balance to the malicious swapper, which should rightfully belong to the filler contracts for the available order execution.
Code Snippet
Resolve Order
GladiusReactor.sol#L46
Validate Order
GladiusReactor.sol#L129 - 149
Refund Logic
BaseGladiusReactor.sol#L245 - 250
Tool used
Recommendation
As the restriction of filler contracts appears to limit the ability of the order-maker actor to fill the order, the handling of the native refunding case can be improved to better serve the intended purposes.
Case#1: Filler sends more ETH than required to
execute()
orexecuteBatch()
Currently, in the existing logic, the current filler will receive all of the remaining native balance, which can exceed their overpayment. The protocol can apply tracking of the actual transferred native fill amount in each execution and compare it with the msg.value sent from the fillers to refund the precise amount.Case#2:There is excess contract balance remaining from others incorrectly calling
execute()
/executeBatch()
without direct filler method but with a msg.value The protocol can apply logic to keep track of mistakenly sent native tokens to the contract and use them for the proper purposes based on requirements, such as distributing them to incentivize each filler.Moreover, consider adding the input and output token addresses validation into the _validateOrder of the
GladiusReactor
contract.List of Execution Functions
### File: BaseGladiusReactor.sol * [execute(SignedOrder calldata order,uint256 quantity)](https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L53-L56) * [executeWithCallback(SignedOrder calldata order,uint256 quantity, bytes calldata callbackData)](https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L65-L69) * [executeBatch(SignedOrder[] calldata orders, uint256[] calldata quantities)](https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L82-L85) * [executeBatchWithCallback(SignedOrder[] calldata orders, uint256[] calldata quantities, bytes calldata callbackData)](https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L104-L108) * [execute(SignedOrder calldata order)](https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L133-L135) * [executeWithCallback(SignedOrder calldata order, bytes calldata callbackData)](https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L144-L147) * [executeBatch(SignedOrder[] calldata orders)](https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L160-L162) * [executeBatchWithCallback(SignedOrder[] calldata orders, bytes calldata callbackData)](https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/reactors/BaseGladiusReactor.sol#L180-L183)