Manipulation and Exploitation of StableModule Contract to Manipulate Withdrawal Fees andPpotentially Profit from Exploiting User Funds.
Summary
The exploitation of StableModule in the StableWithdrawFee can lead to an attacker manipulating withdrawal fees, resulting in unauthorized fund withdrawals or significant financial losses for users of the contract.
Vulnerability Detail
Insufficient Access Control: Functions like setStableWithdrawFee are only protected by onlyOwner, which might not be enough if the contract owner is compromised or if a bug in another part of the contract allows access.
Fee Manipulation: The setStableWithdrawFee function allows the owner to set the fee to any value up to 1% (0.01e18). If the owner is compromised or misuses this function, they could set the fee too high and manipulate user withdrawals.
Lack of Validation: The contract lacks specific validations on _executableAtTime, _announcedDeposit, and _announcedWithdraw parameters. This can lead to unintended behaviors if these parameters are manipulated.
Impact
Financial Loss: An attacker could exploit the vulnerability to manipulate withdrawal fees and siphon funds from users' accounts, leading to potential financial loss for users.
Reduced Trust: Users of the contract may lose trust in the platform due to the potential for exploitation, resulting in reduced participation and usage of the contract.
Market Manipulation: By manipulating withdrawal fees, an attacker could disrupt the market dynamics and affect the stability of the protocol, potentially causing broader financial instability within the ecosystem.
Deploy the Attack contract and pass the address of the StableModule contract as a constructor argument.
Call the manipulateWithdrawalFee function with a high fee value (e.g., 0.01e18) to manipulate withdrawal fees.
Use the exploitWithdraw function to withdraw funds from an account. The attacker can set the parameters such as account, executableAtTime, and announcedWithdraw according to their exploitation strategy.
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;
import "./StableModule.sol";
contract Attack {
StableModule stableModule;
address public attacker;
constructor(address _stableModule) {
stableModule = StableModule(_stableModule);
attacker = msg.sender;
}
// Attack function to manipulate withdrawal fees
function manipulateWithdrawalFee(uint256 newFee) external {
// Assuming the attacker somehow gains access to the owner role
stableModule.setStableWithdrawFee(newFee);
}
// Attack function to withdraw funds
function exploitWithdraw(
address account,
uint64 executableAtTime,
FlatcoinStructs.AnnouncedStableWithdraw calldata announcedWithdraw
) external {
// Assuming the attacker gains permission to executeWithdraw
(uint256 amountOut, uint256 withdrawFee) = stableModule.executeWithdraw(
account,
executableAtTime,
announcedWithdraw
);
// The attacker can now profit from the withdrawal fee
// For example, redirecting the withdrawn amount to their own account
}
}
Tool used
Manual Review
Recommendation
Stronger Access Control: Ensure that only authorized entities can access sensitive functions.
Limit Fee Adjustments: Consider implementing tighter restrictions on fee adjustments, or remove the ability to change fees altogether once set.
Parameter Validation: Add proper validation checks on parameters such as _executableAtTime, _announcedDeposit, and _announcedWithdraw to avoid unexpected behavior.
BZ
medium
Manipulation and Exploitation of
StableModuleContract to Manipulate Withdrawal Fees andPpotentially Profit from Exploiting User Funds.Summary
The exploitation of
StableModulein theStableWithdrawFeecan lead to an attacker manipulating withdrawal fees, resulting in unauthorized fund withdrawals or significant financial losses for users of the contract.Vulnerability Detail
Insufficient Access Control: Functions like
setStableWithdrawFeeare only protected byonlyOwner, which might not be enough if the contract owner is compromised or if a bug in another part of the contract allows access.Fee Manipulation: The
setStableWithdrawFeefunction allows the owner to set the fee to any value up to 1% (0.01e18). If the owner is compromised or misuses this function, they could set the fee too high and manipulate user withdrawals.Lack of Validation: The contract lacks specific validations on
_executableAtTime,_announcedDeposit, and_announcedWithdrawparameters. This can lead to unintended behaviors if these parameters are manipulated.Impact
Financial Loss: An attacker could exploit the vulnerability to manipulate withdrawal fees and siphon funds from users' accounts, leading to potential financial loss for users.
Reduced Trust: Users of the contract may lose trust in the platform due to the potential for exploitation, resulting in reduced participation and usage of the contract.
Market Manipulation: By manipulating withdrawal fees, an attacker could disrupt the market dynamics and affect the stability of the protocol, potentially causing broader financial instability within the ecosystem.
Code Snippet
https://github.com/sherlock-audit/2024-03-flat-money-fix-review-contest/blob/main/flatcoin-v1/src/StableModule.sol#L260
https://github.com/sherlock-audit/2024-03-flat-money-fix-review-contest/blob/main/flatcoin-v1/src/StableModule.sol#L58 https://github.com/sherlock-audit/2024-03-flat-money-fix-review-contest/blob/main/flatcoin-v1/src/StableModule.sol#L45
Proof of Concept
Deploy the Attack contract and pass the address of the
StableModulecontract as a constructor argument.Call the
manipulateWithdrawalFeefunction with a high fee value (e.g., 0.01e18) to manipulate withdrawal fees.Use the
exploitWithdrawfunction to withdraw funds from an account. The attacker can set the parameters such as account,executableAtTime, andannouncedWithdrawaccording to their exploitation strategy.Tool used
Manual Review
Recommendation
Stronger Access Control: Ensure that only authorized entities can access sensitive functions.
Limit Fee Adjustments: Consider implementing tighter restrictions on fee adjustments, or remove the ability to change fees altogether once set.
Parameter Validation: Add proper validation checks on parameters such as
_executableAtTime,_announcedDeposit, and_announcedWithdrawto avoid unexpected behavior.