Open sherlock-admin2 opened 7 months ago
@0xRektora @maarcweiss
Do you guys thinks this is a dupe of #111?
@nevillehuang I think it's a dupe of https://github.com/sherlock-audit/2024-02-tapioca-judging/issues/109 for which I submitted a fix already
It doesn't seem to be duplicate of #111
@cryptotechmaker Yes agree.
ComposableSecurity
high
Unverified
_srcChainSender
parameter allows to impersonate the senderSummary
The
_toeComposeReceiver
function accepts the_srcChainSender
parameter that represents the sender of cross-chain message (via LayerZero's OFT) on the source chain. The function executes modules depending on the_msgType
parameter and some of them do not accept the_srcChainSender
parameter. Lack of verification for_srcChainSender
means that the attacker can execute those modules on behalf of different users.Vulnerability Detail
The
_toeComposeReceiver
function is called by the LayerZero endpoint (indirectly) when there is a compose message to be executed. It gets three parameters:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/usdo/modules/UsdoReceiver.sol#L63-L100
The first patameter (
_msgType
) represents the type of message that should be executed on the destination chain. The second (_srcChainSender
) is the sender of the message on the source chain and last one (_toeComposeMsg
) contains the parameters for the executed operation.In case of
MSG_TAP_EXERCISE
the_srcChainSender
parameter is forwarded to theUsdoOptionReceiver
module: https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/usdo/modules/UsdoReceiver.sol#L68-L75In case of other types (
MSG_MARKET_REMOVE_ASSET
,MSG_YB_SEND_SGL_LEND_OR_REPAY
andMSG_DEPOSIT_LEND_AND_SEND_FOR_LOCK
) the_srcChainSender
parameter is not forwarder and the attacker fully control the contents of_toeComposeMsg
.Let's take the
MSG_MARKET_REMOVE_ASSET
message as an example.removeAssetReceiver
function fromUsdoMarketReceiverModule
is executed with_toeComposeMsg
parameter.https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/usdo/modules/UsdoMarketReceiverModule.sol#L210-L241
_toeComposeMsg
bytes (called_data
in this function) are decoded and some values are extracted. The most important are:msg_.externalData.magnetar
on which theburst
function is later called with specific magnetar calls (it is legitimate and whitelisted magnetar),msg_.user
on whose behalf the further operation is called,msg_.externalData
which is forwarder to further call,msg_.removeAndRepayData
which is forwarder to further call.Those parameters are used to prepare a call to
exitPositionAndRemoveCollateral
function fromOptionModule
module (defined in action'sid
param).burst
function from magnetar contract is called and it executes the specific module depending on the_action.id
:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/gitmodule/tapioca-periph/contracts/Magnetar/Magnetar.sol#L138-L141
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/gitmodule/tapioca-periph/contracts/Magnetar/modules/MagnetarOptionModule.sol#L58-L210
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/gitmodule/tapioca-periph/contracts/Magnetar/modules/MagnetarOptionModule.sol#L60
_checkSender
function does not revert if the user is the sender or the sender is whitelisted.https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/gitmodule/tapioca-periph/contracts/Magnetar/MagnetarStorage.sol#L93-L97
exitPositionAndRemoveCollateral
function on behalf of the user (who is the victim).Note: This is only one of possible attack scenarios that exploits lack of
_srcChainSender
parameter validation.Impact
HIGH - The attacker can execute functions from
UsdoMarketReceiverModule
module on behalf of any user.Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/usdo/modules/UsdoReceiver.sol#L79
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/usdo/modules/UsdoReceiver.sol#L85
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/usdo/modules/UsdoReceiver.sol#L92
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/BaseTOFTReceiver.sol#L70
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/BaseTOFTReceiver.sol#L76
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/BaseTOFTReceiver.sol#L98
Tool used
Manual Review
Recommendation
Validate whether the user whose assets are being managed is the same address as the
_srcChainSender
parameter.