Closed sherlock-admin3 closed 5 months ago
Low because modules are validated and the call data is also validated during the call path, though we will still add the validation to the market helper address as an improvement.
Modules are validated, but harm can be caused even by running arbitrary calls with the safe modules, see #90 (dup).
ctf_sec
high
lack of market helper address validation allows theft of fund
Summary
lack of market helper address validation allows theft of fund
Vulnerability Detail
In
TOFTMarketReceiverModule.sol
Line of codewe validate
Impact
However, if we take a look at the
LeverageUpActionMsg
struct, Line of codethe marketHelper address is not validated
it is crucial because the code tries to call IMarketHelper(msg_.marketHelper).buyCollateral to generate call data
However, if user can pass in any msg_.marketHelper, he can generate any call data, for example,
Then can generate call data to remove someone else collateral if another user give contract's approval. Line of code
note that
allowedBorrow(from, share)
calls Line of codeAs we can see, the TOFT.sol very likely hold a lot token approval
if user can pass an marketHelper they control, they can just deploy this contract as marketHelper:
No matter the address from passd in, the victim address is encoded in the execute module call data,
then after the victim give the magnetar address approval to transfer his own asset,
attacker can input victim address and remove collateral from victim address and withdraw the collateral to the attacker's own address.
In this case, even the function called is named as buyCollateral, the user maliciously compose the call data to remove assets.
Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/TapiocaZ/contracts/tOFT/modules/TOFTMarketReceiverModule.sol#L74
https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/gitmodule/tapioca-periph/contracts/interfaces/oft/ITOFT.sol#L150
https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/contracts/markets/bigBang/BBCollateral.sol#L48
https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/Tapioca-bar/contracts/markets/Market.sol#L416
Tool used
Manual Review
Recommendation
This function should verify that the marketHelper address is among a list of approved or whitelisted addresses
before proceeding with any operations.
Duplicate of #90