Malicious vault owner can change ALM to malicious contract and then setModule to steal funds
Summary
See detail.
Vulnerability Detail
Steps:
Public vault owner calls ArrakisMetaVault.whitelistModules() to create a new module
On the new module, the vault owner calls setALMAndManagerFees with a malicious ALM contract.
The executor calls setModule to change the module to a new one. A payload of initializePosition() is passed in.
After this, all the funds from the old pool have been withdrawn and deposited via the new module. This ultimately sends the funds to the maliciously created ALM contract, from which the funds can be stolen.
Note that step 1 is completely non-malicious since the beacon used must have been approved by trusted protocol accounts.
Hence, step 1 would not raise any alarm bells.
Step 2 is the malicious step which requires a 2-day timelock from the vault owner in order to execute. However 2 days is likely not enough time for such a malicious action to be spotted and dealt with.
Impact
100% of the liquidity of a public vault is stolen by a malicious public vault owner.
juaan
medium
Malicious vault owner can change ALM to malicious contract and then setModule to steal funds
Summary
See detail.
Vulnerability Detail
Steps:
ArrakisMetaVault.whitelistModules()to create a new modulesetALMAndManagerFeeswith a malicious ALM contract.executorcallssetModuleto change the module to a new one. A payload ofinitializePosition()is passed in.After this, all the funds from the old pool have been withdrawn and deposited via the new module. This ultimately sends the funds to the maliciously created ALM contract, from which the funds can be stolen.
Note that step 1 is completely non-malicious since the beacon used must have been approved by trusted protocol accounts. Hence, step 1 would not raise any alarm bells.
Step 2 is the malicious step which requires a 2-day timelock from the vault owner in order to execute. However 2 days is likely not enough time for such a malicious action to be spotted and dealt with.
Impact
100% of the liquidity of a public vault is stolen by a malicious public vault owner.
Code Snippet
https://github.com/sherlock-audit/2024-03-arrakis/blob/64a7dc6ccb5de2824870474a9f35fd3386669e89/arrakis-modular/src/abstracts/ValantisHOTModule.sol#L174-L193
Tool used
Manual Review
Recommendation
Duplicate of #43