Closed sherlock-admin4 closed 2 months ago
2 comment(s) were left on this issue during the judging contest.
z3s commented:
Invalid; It's the user's responsibility to verify the contracts they use instead of the protocol's.
DHTNS commented:
Invalid -> works as intended
petarP1998
medium
Phishing_Attack
Summary
The
StrategyPassiveManagerVelodrome::harvest
function in the contract is currently usingtx.origin
instead ofmsg.sender
. This introduces a security vulnerability where an attacker could exploit the function by phishing or using malicious contracts.Vulnerability Detail
The function
StrategyPassiveManagerVelodrome::harvest
utilizestx.origin
, which refers to the original external account that initiated the transaction. This can be exploited by attackers through phishing attacks or malicious contracts to trick users into unknowingly executing theharvest
function.https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L433-L435
Impact
An attacker can create a malicious contract that calls the
harvest
function on behalf of an unsuspecting user. By usingtx.origin
, the contract incorrectly attributes the action to the original external account, allowing the attacker to manipulate the function and potentially harvest as if they were the legitimate caller.More info on such attacks can be found here
Code Snippet
Proof Of Concept
If we make such an attack contract:
Basically we can use phishing techniques to make anyone call the
attack
function which calls theharvest
function. Due to the fact that theharvest
function usestx.origin
then basically anyone calling theattack
function will be harvesting as if they called the function.Tool used
Manual Review
Recommendation
Replace
tx.origin
withmsg.sender
to ensure that the caller of theharvest
function is correctly identified.Updated code: