Open sherlock-admin3 opened 5 months ago
Medium
@cryptotechmaker This could be high severity given the impact highlighted
For example, removeCollateral operation can have both msg.withdrawParams.withdraw == true and to = msg.user instead of to = msg_.removeParams.magnetar, stealing the corresponding assets from magnetar balance (i.e. instead of forwarding the user assets received it will use assets from the own balance instead as user both received assets directly and called withdraw via magnetar).
The protocol team fixed this issue in PR/commit https://github.com/Tapioca-DAO/TapiocaZ/pull/180.
hyh
high
Malicious MarketHelper contract can be used in TOFTMarketReceiverModule's leverageUpReceiver and marketRemoveCollateralReceiver functions
Summary
User-supplied
marketHelper
contract is called for building market'sexecute()
call, but inleverageUpReceiver()
andmarketRemoveCollateralReceiver()
it's not whitelisted.Vulnerability Detail
An attacker can craft any logic and provide it as
marketHelper
, placing arbitrarymodules
andcalls
formarket
execute()
, not corresponding forbuyCollateral
orremoveCollateral
operations.For example,
removeCollateral
operation can have bothmsg_.withdrawParams.withdraw == true
andto = msg_.user
instead ofto = msg_.removeParams.magnetar
, stealing the corresponding assets frommagnetar
balance (i.e. instead of forwarding the user assets received it will use assets from the own balance instead as user both received assets directly and calledwithdraw
viamagnetar
).Impact
In the example above
magnetar
, being a helper contract itself, has to have assets on the balance to steal. But there might be different sequences of operations allowing other loss making manipulations. Placing to medium the cumulative probability of reaching the state when craftedmarketHelper
produced call sequence can trick the desired logic to gain a material benefit.Likelihood: Medium + Impact: High = Severity: High.
Code Snippet
marketHelper
isn't checked to be whitelisted inleverageUpReceiver()
:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/TOFTMarketReceiverModule.sol#L74-L79
It is used to craft call sequence for
market
, that can be arbitrary this way (which, even havingmodules
fixed and sound, still can have a variety of unintended impacts similar to misplacingto
as mentioned above):https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/TOFTMarketReceiverModule.sol#L88-L93
And in
marketRemoveCollateralReceiver()
:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/TOFTMarketReceiverModule.sol#L161-L165
Where it can, as an example, place
msg_.user
asto
, still callingwithdraw
frommagnetar
:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/TOFTMarketReceiverModule.sol#L172-L197
I.e. the assumption that the calls is constructed by regular white-listed
MarketHelper
to follow the operation logic is broken:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/MarketHelper.sol#L119-L128
Tool used
Manual Review
Recommendation
Since the contract is known and already included to white lists in the system, consider checking it in
leverageUpReceiver()
andmarketRemoveCollateralReceiver()
:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/TOFTMarketReceiverModule.sol#L74-L79
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/TOFTMarketReceiverModule.sol#L161-L165