Platform: Code4rena
Start Date: 09/12/2022
Pot Size: $36,500 USDC
Total HM: 9
Participants: 69
Period: 3 days
Judge: Picodes
Total Solo HM: 2
Id: 190
League: ETH
Rank: 42/69
Findings: 1
Award: $52.84
š Selected for report: 0
š Solo Findings: 0
š Selected for report: obront
Also found by: 8olidity, HE1M, Madalad, Trust, cccz, csanuragjain, deliriusz, hansfriese, hihen, joestakey, rvierdiiev, wait, zaskoh
52.8446 USDC - $52.84
Centralization risk - administrators can steal all basetokens in collateral by modifying the DepositRecord address
In the collateral contract, allow the manager to transfer basetoken by calling managerWithdraw()
function managerWithdraw(uint256 _amount) external override onlyRole(MANAGER_WITHDRAW_ROLE) nonReentrant { if (address(managerWithdrawHook) != address(0)) managerWithdrawHook.hook(msg.sender, _amount, _amount); baseToken.transfer(manager, _amount); }
But there is a limitation in managerWithdrawHook.hook
function hook(address, uint256, uint256 _amountAfterFee) external view override { require(collateral.getReserve() - _amountAfterFee >= getMinReserve(), "reserve would fall below minimum"); } Ā function getMinReserve() public view override returns (uint256) { return (depositRecord.getGlobalNetDepositAmount() * minReservePercentage) / PERCENT_DENOMINATOR; }
After transferring basetoken, the remaining number of basetoken must be greater than the value of getMinReserve(). But here the administrator can temporarily change DepositRecord to a new address by bribing SET_DEPOSIT_RECORD_ROLE. Then the return value of getMinReserve() is 0. Thus administrators can bypass restrictions in hook(). Steal all basetoken in the contract.
vscode
Add time lock or prohibit modification of depositrecord address
#0 - c4-judge
2022-12-19T09:40:29Z
Picodes marked the issue as duplicate of #254
#1 - c4-judge
2023-01-09T20:32:40Z
Picodes marked the issue as satisfactory