Platform: Code4rena
Start Date: 22/09/2023
Pot Size: $100,000 USDC
Total HM: 15
Participants: 175
Period: 14 days
Judge: alcueca
Total Solo HM: 4
Id: 287
League: ETH
Rank: 167/175
Findings: 1
Award: $0.11
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xTheC0der
Also found by: 0x180db, 0xDING99YA, 0xRstStn, 0xTiwa, 0xWaitress, 0xblackskull, 0xfuje, 3docSec, Aamir, Black_Box_DD, HChang26, Hama, Inspecktor, John_Femi, Jorgect, Kek, KingNFT, Kow, Limbooo, MIQUINHO, MrPotatoMagic, NoTechBG, Noro, Pessimistic, QiuhaoLi, SovaSlava, SpicyMeatball, T1MOH, TangYuanShen, Vagner, Viktor_Cortess, Yanchuan, _eperezok, alexweb3, alexxander, ast3ros, ayden, bin2chen, blutorque, btk, ciphermarco, ether_sky, gumgumzum, gztttt, hals, imare, its_basu, joaovwfreire, josephdara, klau5, kodyvim, ladboy233, marqymarq10, mert_eren, minhtrng, n1punp, nobody2018, oada, orion, peakbolt, peritoflores, perseverancesuccess, pfapostol, rvierdiiev, stuxy, tank, unsafesol, ustas, windhustler, zambody, zzzitron
0.1127 USDC - $0.11
payableCall which can be found in VirtualAccount.sol does not use the requiresApprovedCaller modifier, like every other function in the contract does, which will let anyone do arbitrary calls from any VirtualAccount leading to loss of funds/assets to the users.
As you can see in the contract every function uses requiresApprovedCaller which ensures that the functions can only be called by the owner of the VirtualAccount or the approved router, to make changes like transferring ERC20, Native tokens or ERC721 from the VirtualAccount
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/VirtualAccount.sol#L51-L53
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/VirtualAccount.sol#L56-L58
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/VirtualAccount.sol#L61-L63
but the payableCall function does not have any modifier to protect it, which means that anyone can call this function on any VirtualAccount with any arbitrary data. To give you 2 important examples on how this can be abused :
VirtualAccount holds, to call the transfer function with one of their addresses as the arguments, stealing all of the ERC20 from the contractVirtualAccount should hold NFT's from platforms like UniswapV3, to transfer the NFT to themselves, which will lead to loss of funds/assets to the owners of VirtualAccountThese are only two examples, but it can be used in multiple ways to hurt the users, the fact that the function is payable does not change anything, since calls can be made with 0 wei, which will basically make the function act like the normal call.
Manual review
Since you are using the modifier to any other function on the VirtualAccount.sol use it on payableCall also, since calling that function with 0 value, will act the same as normal call and you already have that protected by the modifier.
Access Control
#0 - c4-pre-sort
2023-10-08T14:09:44Z
0xA5DF marked the issue as duplicate of #888
#1 - c4-pre-sort
2023-10-08T14:52:01Z
0xA5DF marked the issue as sufficient quality report
#2 - c4-judge
2023-10-26T11:29:56Z
alcueca marked the issue as satisfactory