Platform: Code4rena
Start Date: 23/05/2022
Pot Size: $50,000 USDC
Total HM: 44
Participants: 99
Period: 5 days
Judge: hickuphh3
Total Solo HM: 11
Id: 129
League: ETH
Rank: 50/99
Findings: 2
Award: $121.12
🌟 Selected for report: 0
🚀 Solo Findings: 0
67.7551 USDC - $67.76
Without the check on _stratUtil address, malicious strategist could arbitariry add any corrupt address which will cause rebalance() in IBathToken to transfer() filledAsset to that malicious contract. That fake strategistUtility could also create fake function which makes it comply to the interface.
The lack of check could result in the stealing of exceeded assets that cannot get swapped back without incuring the loss during rebalancing.
Right now current strategists need to get approved by the BathHouse which may assure that this exploit will not happen to a certain degree but, in the future, as the project growing, the need for decentralized strategists will rise and the check for the strategist will be the minimum requirement.
1.Malicious strategist creates fake IStrategistUtility with similar function to real IStrategistUtility
2.Malicious strategist input the address of fake IStrategistUtility in _stratUtil of tailOff() in BathPair
3.tailOff() then call rebalance() in the IBathToken
4.rebalance() after calculating stratReward transfer filledAsset to fake IStrategistUtility
5.tailOff() will then call UNIdump() in fake IStrategistUtility, resulting in nothing happening and filledAsset getting stolen.
The contract owner should add some check or whitelist over the external address to make sure that the assets will only be sent to a verified address
#0 - bghughes
2022-06-03T21:50:27Z
Duplicate of #113 #344
#1 - HickupHH3
2022-06-17T02:13:28Z
Duplicate of #157
#2 - HickupHH3
2022-06-17T02:55:32Z
Centralisation risk issue: #344
#3 - HickupHH3
2022-06-21T09:52:19Z
duplicate of #211