Closed sherlock-admin3 closed 4 months ago
Invalid; user would wrongly use the protocol for that to happen; he's not supposed to manually send tokens to the contract. And skim
is exactly added for this scenarios. To profit from airdropped
amounts
ComposableSecurity
medium
Stealing tokens added in
skim
modeSummary
Anyone can backrun the user's transfer of assets to market when the user wants to add collateral or assets in
skim
mode. The attacker can steal the tokens and add them as theirs.Vulnerability Detail
The
_addAsset
and_addCollateral
functions accept askim
parameter, forwarded to the_addTokens
function.https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/contracts/markets/bigBang/BBCommon.sol#L128-L138
When it is set to
true
, the market assumes that user had made a transfer to the market before. The market checks whether its balance is greater that the number of previously stored assets. If so, it treats the surplus as user's tokens.The issue is that anyone can backrun user's transfer to the market and deposit user's tokens as theirs.
Here is the attack scenario:
addAsset
withskim = true
.addAsset
transaction) and callsaddAsset
withskim = true
and modified value ofto
parameter (changing it to attacker's address).Note to sponsor: If you think that users will use this feature often, this bug may be considered HIGH.
PoC As the hardhat tests were not working in the contest repository, we have used the repository and branch recommended by the team, that is https://github.com/Tapioca-DAO/Tapioca-bar repository and branch
CU-86drm12h2-hh-fixes
. It differs a bit from the tests in contest's repo but the attack scenario is the same. The PoC has been created for theaddCollateral
function.Impact
MEDIUM - Stealing tokens of user who made a transfer to market (e.g. while using the business flow with
skim
set totrue
).Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/contracts/markets/bigBang/BBCommon.sol#L128-L138
https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/contracts/markets/singularity/SGLCommon.sol#L165-L177
Tool used
Manual Review
Recommendation
Consider removing the
skim
mode.