Users can use weth to replace any margin token in createUpdatePositionMarginRequest()
Summary
Function createUpdatePositionMarginRequest lack enough input validation. This will cause users can use weth as any margin tokens to earn profits or block other users' normal request.
Vulnerability Detail
In function createUpdatePositionMarginRequest, users will transfer some tokens if they want to increase their position's init margin amount. If params.isNativeToken is true, users need to transfer WETH, otherwise, users need to transfer margin token.
The vulnerability is that when we create one request via createUpdatePositionMarginRequest, params.marginToken is used as request.marginToken. So if the input params.isNativeToken is true and params.marginToken is not WETH, for example, the updated position is one wBTC position, we will transfer some amount of ether to the Trade Vault when we create one request, and then when the keeper execute the request, system will transfer the same amount of wBTC to LP Pool.
In normal cases, the request cannot be executed successfully, because there is not enough wBTC in Trade Vault. However, considering that there are lots of request now, and traders are transferring their wBTC to Trade Vault, the hacker can make use of this vulnerability to use WETH to get the same amount of other tokens.
jennifer37
High
Users can use weth to replace any margin token in createUpdatePositionMarginRequest()
Summary
Function
createUpdatePositionMarginRequest
lack enough input validation. This will cause users can use weth as any margin tokens to earn profits or block other users' normal request.Vulnerability Detail
In function
createUpdatePositionMarginRequest
, users will transfer some tokens if they want to increase their position's init margin amount. Ifparams.isNativeToken
is true, users need to transfer WETH, otherwise, users need to transfer margin token.The vulnerability is that when we create one request via
createUpdatePositionMarginRequest
,params.marginToken
is used asrequest.marginToken
. So if the inputparams.isNativeToken
is true andparams.marginToken
is not WETH, for example, the updated position is one wBTC position, we will transfer some amount of ether to the Trade Vault when we create one request, and then when the keeper execute the request, system will transfer the same amount of wBTC to LP Pool. In normal cases, the request cannot be executed successfully, because there is not enough wBTC in Trade Vault. However, considering that there are lots of request now, and traders are transferring their wBTC to Trade Vault, the hacker can make use of this vulnerability to use WETH to get the same amount of other tokens.Poc
Add this test in increaseMarketOrder.test.ts, the procedure is like:
isNative
= true, transfer ETHER to Trade VaultImpact
Code Snippet
https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/facets/PositionFacet.sol#L22-L59
Tool used
Manual Review
Recommendation
Add the related input validation. If
isNative
is true, we need to make sure the related position's margin token is WETH.