Open sherlock-admin3 opened 6 months ago
1 comment(s) were left on this issue during the judging contest.
WangAudit commented:
I believe it's low; don't think lost allowance is somewhat equivalent to loss of funds and I don't think how it actually harms anyone; plus can be mitigated by setting uint max allowance
The protocol team fixed this issue in PR/commit https://github.com/Tapioca-DAO/Tapioca-bar/pull/368.
Escalate Allowance double spending without material prerequisites implies fund loss with a high probability. Allowance mechanics in question gives an ability to extract the collateral, i.e. is a direct equivalent of funds. On these grounds the issue should have high severity as described.
Escalate Allowance double spending without material prerequisites implies fund loss with a high probability. Allowance mechanics in question gives an ability to extract the collateral, i.e. is a direct equivalent of funds. On these grounds the issue should have high severity as described.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
@maarcweiss Could you let us know why you believe this issue should be medium severity?
I agree with @dmitriia escalation. We can upgrade it to High.
I don't think this issue meets the criteria for High severity according to Sherlock's criteria.
It involves the allowance of calldata_.from
for the sender being spent twice, which doesn't directly result in a loss of funds. Instead, it causes the function to revert if the user approves the exact allowance they want to extract in correct behavior. While users may need to approve double allowance for the sender, which is risky, but it doesn't qualify as high severity since the sender is trusted by the user. I believe that the funds of users cannot be exploited without any external conditions, and the report didn't mention any attack path that could cause a loss.
I agree with @huuducsc on this one, losing allowance and/or reverting on a correct one is important though does not apply as direct loss of funds. I think it should stay as a med.
I will agree with @maarcweiss and @huuducsc comments and reject the escalation and this issue will remain Medium.
Result: Medium Unique
hyh
high
Allowances is double spent in BBLeverage's and SGLLeverage's
sellCollateral()
Summary
Both
sellCollateral()
functions remove allowance twice, before and after target debt size control.This way up to double allowance is removed each time: exactly double amount when repay amount is at or below the actual debt, somewhat less than double amount when repay amount is bigger than actual debt.
Vulnerability Detail
Both
_allowedBorrow()
and_repay()
operations spend the allowance from the caller. In thesellCollateral()
case it should be done once, before the operation, since collateral removal is unconditional. It is spend twice, on collateral removal, and then on debt repayment now instead.Impact
BBLeverage's and SGLLeverage's
sellCollateral()
callers lose the approximately double amount of collateral allowance on each call. The operations with correctly set allowance amounts will be denied.There are no prerequisites, so the probability is high. As the allowances are material and extra amounts can be directly exploitted via collateral removal (i.e. any extra allowance can be instantly turned to the same amount of collateral as long as borrower's account is healthy enough), so having allowances lost is somewhat lower/equivalent severity to loss of funds, i.e. have medium/high severity.
Likelihood: High + Impact: Medium/High = Severity: High.
Code Snippet
The allowance is double written off in BBLeverage's and SGLLeverage's
sellCollateral()
:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLeverage.sol#L126-L162
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLeverage.sol#L106-L148
Tool used
Manual Review
Recommendation
Consider adding a flag to
_repay()
, indicating that allowance spending was already recorded.https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLendingCommon.sol#L107-L122
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLendingCommon.sol#L91-L106
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLeverage.sol#L126-L162
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLeverage.sol#L106-L148
All other
_repay()
calls should by default usecheckAllowance == true
.