leverageUpReceiver() Missing Security Check for msg_.marketHelper
Summary
In the TOFTMarketReceiverModule.leverageUpReceiver() function
there is a lack of validation to verify whether the user-provided marketHelper is whitelisted.
This oversight could allow malicious user to pass in a harmful marketHelper and construct arbitrary calls data.
Vulnerability Detail
The current implementation of TOFTMarketReceiverModule.leverageUpReceiver() is as follows:
As shown above, only the market validity is checked, but there is no validation for marketHelper.
Consequently, users can provide a malicious marketHelper that returns harmful modules, calls, leading to the execution of IMarket(msg_.market).execute(modules, calls, true); not performing the expected buyCollateral() operation.
For instance, it could execute unintended actions like borrow/removeCollateral.
Impact
The introduction of a malicious marketHelper could result in unexpected and dangerous operations, such as removeCollateral/borrow.
bin2chen
high
leverageUpReceiver() Missing Security Check for msg_.marketHelper
Summary
In the
TOFTMarketReceiverModule.leverageUpReceiver()
function there is a lack of validation to verify whether the user-providedmarketHelper
is whitelisted. This oversight could allow malicious user to pass in a harmfulmarketHelper
and construct arbitrarycalls data
.Vulnerability Detail
The current implementation of
TOFTMarketReceiverModule.leverageUpReceiver()
is as follows:As shown above, only the
market
validity is checked, but there is no validation formarketHelper
. Consequently, users can provide a maliciousmarketHelper
that returns harmfulmodules, calls,
leading to the execution ofIMarket(msg_.market).execute(modules, calls, true);
not performing the expectedbuyCollateral()
operation. For instance, it could execute unintended actions likeborrow/removeCollateral
.Impact
The introduction of a malicious
marketHelper
could result in unexpected and dangerous operations, such asremoveCollateral/borrow
.Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/TOFTMarketReceiverModule.sol#L79
Tool used
Manual Review
Recommendation
Duplicate of #90