Arcade.xyz - Jiamin's results

Lines of code

https://github.com/code-423n4/2023-07-arcade/blob/f8ac4e7c4fdea559b73d9dd5606f618d4e6c73cd/contracts/ArcadeTreasury.sol#L189-L201

Vulnerability details

Impact

GSC allowance given to an address cannot be altered under certain circumstances.

Proof of Concept

function gscApprove in ArcadeTreasury.sol allows GSC to give token allowance to an address to pull tokens from the treasury.

    function gscApprove(
        address token,
        address spender,
        uint256 amount
    ) external onlyRole(GSC_CORE_VOTING_ROLE) nonReentrant {
        if (spender == address(0)) revert T_ZeroAddress("spender");
        if (amount == 0) revert T_ZeroAmount();


        // Will underflow if amount is greater than remaining allowance
        gscAllowance[token] -= amount;


        _approve(token, spender, amount, spendThresholds[token].small);
    }

One address can be approved by many times and the allowance is updated to the newest amount. However, under certain circumstances, an address's allowance cannot be altered even if it is to reduce the approved allowance. For example, assuming token is USDC and gscAllowance[token] is 100e6, address A was given 60e6 allowance by GSC, if then GSC want to reduce the allowance to 50e6, the transaction will fail because of the following line:

    gscAllowance[token] -= amount

At the moment, gscAllowance[token] is 40e6 and amount is 50e6, underflow error will be thrown due to 40e6 - 50e6.

Tools Used

Manual Review

Recommended Mitigation Steps

If it is to reduce the allowance to an address, please consider to add the reduced amount to gscAllowance[token].

Assessed type

Access Control

Lines of code

https://github.com/code-423n4/2023-07-arcade/blob/f8ac4e7c4fdea559b73d9dd5606f618d4e6c73cd/contracts/ArcadeTreasury.sol#L303-L323

Vulnerability details

Impact

Token allowance given to an address by GSC is not revoked when GSC allowance is decreased, the approved address can pull more tokens from treasury than GSC allowance.

Proof of Concept

GSC can give token allowance to an address, the given allowance cannot be more than GSC allowance, i.e. the approved address cannot pull more tokens than GSC allowance. The GSC allowance can be updated by admin:

    function setGSCAllowance(address token, uint256 newAllowance) external onlyRole(ADMIN_ROLE) {
        if (token == address(0)) revert T_ZeroAddress("token");
        if (newAllowance == 0) revert T_ZeroAmount();


        // enforce cool down period
        if (uint48(block.timestamp) < lastAllowanceSet[token] + SET_ALLOWANCE_COOL_DOWN) {
            revert T_CoolDownPeriod(block.timestamp, lastAllowanceSet[token] + SET_ALLOWANCE_COOL_DOWN);
        }


        uint256 spendLimit = spendThresholds[token].small;
        // new limit cannot be more than the small threshold
        if (newAllowance > spendLimit) {
            revert T_InvalidAllowance(newAllowance, spendLimit);
        }


        // update allowance state
        lastAllowanceSet[token] = uint48(block.timestamp);
        gscAllowance[token] = newAllowance;


        emit GSCAllowanceUpdated(token, newAllowance);
    }

If GSC allowance is decreased, for example, from 100e6 to 50e6, GSC cannot give more than 50e6 allowance to an address, however, if an address was given 100e6 allowance before the update, this address can still pull 100e6 tokens from treasury because the allowance is not revoked after the update.

Tools Used

Manual Review

Recommended Mitigation Steps

If GSC allowance is updated by admin, please consider to revoke the token allowance given out by GSC.

Assessed type

Access Control