Closed sherlock-admin2 closed 1 month ago
This is by design. From the competition rules: "Any user mistakes resulting in their own funds being lost is out of scope ".
Escalate
This is by design. From the competition rules: "Any user mistakes resulting in their own funds being lost is out of scope ".
Before I submitted this report, I had read the competition rules.
So, why did I classify this issue as a medium issue and submit it?
- Not using
urnAuth(urn)
onlock
andlockNgt
functions is very suspicious.- When users want to do “free” then
urnAuth(urn)
access is required.- Let's say to make everyone can do “lock” without creating
urn
, but the owner ofurn
can give access to others withhope
function. TheurnAuth(urn)
function will verify it. Then why doesn't makerdao useurnAuth(urn)
in thelock
function?This is very suspicious for users. We assume that this is deliberately done so that a malicious internal actor can take the user's funds by changing the destination
urn
in the web frontend to belong to the internal actor when the user wants tolock
.When the victim protests, the malicious internal actor will counterattack the victim by saying that it is the user's fault when doing
lock
by entering the wrongurn
, then proving thelock
code as the reason. As a result, the malicious internal actor gets the user's funds. It may happen.Makerdao is decentralized, so make it decentralized. Ensure user security by using
urnAuth(urn)
in the “lock” function
The escalation could not be created because you are not exceeding the escalation threshold.
You can view the required number of additional valid issues/judging contest payouts in your Profile page, in the Sherlock webapp.
Laksmana
Medium
missing auth modifier, causing loss of user funds when lock at different
urn
Summary
LockstakeEngine#lock
andLockstakeEngine#lockNgt
have nournAuth(urn)
modifier.As a result, everyone can "lock" with someone's urn.
Unfortunately, once they "lock". They cannot claim they token, which is perform "free".
Root Cause
look at these function lock:
So, everyone can perform "locking" with one's urn, since those functions do not use the
urnAuth(urn)
modifier.The
urnAuth(urn)
modifier is for check that caller ofurn
owner or allowed to usedurn
.Unfortunately, once they are "locked in", they cannot claim their token. Because the "free" function has
urnAuth(urn)
. #### As a result, their token will belong to someone'surn
that they used.Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
As a result, users who
lock
with someone'surn
, their tokens will belong to that person.PoC
LockstakeEngine.t.sol
run with
forge test --match-test test_lock_in_wrong_urn
Mitigation