Platform: Code4rena
Start Date: 14/09/2022
Pot Size: $50,000 USDC
Total HM: 25
Participants: 110
Period: 5 days
Judge: hickuphh3
Total Solo HM: 9
Id: 162
League: ETH
Rank: 55/110
Findings: 1
Award: $85.85
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: hyh
Also found by: 0x4non, 0xNazgul, Haruxe, KIntern_NA, PwnPatrol, Respx, Tointer, joestakey, pauliax, peritoflores, rotcivegaf, scaraven
85.8509 USDC - $85.85
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/Vault.sol#L203 https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/SemiFungibleVault.sol#L110
In both Vault.sol#L203 and SemiFungibleVault.sol#L110 ( where the original virtual function comes from ) the withdraw() function is used to withdraw entitled deposited assets. The issue lies in the fact that the caller can specify the owner and receiver as long as isApprovedForAll(owner, receiver) passes. This opens up the opportunity for a bad actor to grief by calling the withdraw() function on behalf of a previously approved address and send the funds whenever they like.
If a user were to give exclusive access of their token(s) to a contract or another user, a bad actor could call the withdraw() function immediately with their respective addresses which would carry on the transaction, burning the user's tokens, giving fees to the treasury, and giving them to the other party.
VS Code
Outside users should not have access to others' assets, and msg.sender should be checked again in the function to prove that the caller has the permission to call withdraw() on behalf of another user. If the situation allows, limiting withdraws to msg.sender would mitigate this risk.
It can be noted as well that in the ERC1155.sol contract, the safeTransferFrom() function requires the operator value to be msg.sender().
#0 - HickupHH3
2022-11-01T10:24:09Z
dup of #434
#1 - HickupHH3
2022-11-03T13:08:32Z
Satisfactory because of explanation of loss of funds by malicious actor.