Platform: Code4rena
Start Date: 25/08/2022
Pot Size: $75,000 USDC
Total HM: 35
Participants: 147
Period: 7 days
Judge: 0xean
Total Solo HM: 15
Id: 156
League: ETH
Rank: 14/147
Findings: 1
Award: $1,905.41
🌟 Selected for report: 1
🚀 Solo Findings: 1
🌟 Selected for report: Czar102
1905.4132 DAI - $1,905.41
https://github.com/code-423n4/2022-08-olympus/blob/main/src/modules/TRSRY.sol#L108-L112
An attacker can pay back their loan to the treasury module with protocol-owned tokens. This will cause their loan to decrease despite the protocol won't be given funds for it.
The code first measures the number of tokens in the treasury, then transfers an amount to the contract and checks the change it caused. This is put behind a nonReentrant modifier so that one can't use the same balance change to pay back multiple parts of (potentially) multiple loans.
The problem arises when the treasury doesn't only claim tokens from paying back loans, but also claims protocol revenue. Since, an attacker can gain execution in the moment the funds are pulled to the treasury to trigger any function that grants treasury this type of tokens (collects protocol revenue). The contract will count these tokens as paying back one's loan since this happened between balance measurements.
Add a function used to pull a token to the contract and mark it nonReentrant. Any transfer of tokens to the treasury should be done through that function.
#0 - ind-igo
2022-09-08T04:55:56Z
I am confused by this submission. Need more information.
#1 - 0xLienid
2022-09-08T17:30:39Z
@ind-igo maybe like #403 ?
#2 - ind-igo
2022-09-12T22:03:26Z
Spoke with Czar, solution for minimal change is adding received = min(received, amount_); . Confirming issue.