Closed sherlock-admin4 closed 1 month ago
With the TRANSFERRER_ROLE
we want to prevent an AMM pool and, consequentially, a secondary market price. This design successfully prevents this.
As a side note, our current deployment uses Sablier v2.0, which doesn't allow making streams untransferable.
Agree with the sponsor, this issue is then low severity because it doesn't have any impact.
nfmelendez
medium
Any address without TRANSFERRER_ROLE can transfer esEXA tokens.
Summary
Only addresses with TRANSFERRER_ROLE can transfer esEXA tokens but ANY address can transfer esEXA to another using a combination of
esEXA::vest
,sablier::transferFrom
andesEXA::cancel
because when vesting theEscrowedEXA.sol
contract creates a sablier token stream withtransaferable=true
property by default.Vulnerability Detail
When a user vests esEXA tokens a sablier token stream is automatically created with the
transferable=true
property. If the user cancel right after initiating the vesting, the esEXA tokens are then transferred to the intended recipient. However, due to the stream's transferable nature, the recipient of the stream can be altered. Consequently, this new recipient can receive the esEXA tokens upon cancellation, thereby circumventing the controls established by the TRANSFERRER_ROLE.Attack path
Mark can transfer esEXA to Sam doing
esEXA::Vest
sablier::transferFrom
esEXA::cancel
and get the esEXA token.Proof of Concept
Paste this POC to EscrowedEXA.t.sol
add import:
Impact
TRANSFERRER_ROLE Access Control bypass break important assumptions that protocol contracts do as the exactly documentation says:
The esEXA tokens are only transferable for accounts with a TRANSFERER_ROLE, reserved for the protocol contracts to integrate smoothly.
This design flaw could create security problems, operational problems or loss of funds to those protocol contracts that rely on the assumption that only accounts with TRANSFERRER_ROLE can transfer esEXA tokensCode Snippet
https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/periphery/EscrowedEXA.sol#L58-L62
https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/periphery/EscrowedEXA.sol#L96-L107
Tool used
Manual Review
Recommendation
Only addresses with TRANSFERRER_ROLE should create
transaferable=true
token stream and all others addresses should create non transferable stream.