Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 83/111
Findings: 1
Award: $22.96
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Jeiwan
Also found by: 0xSmartContract, 0xStalin, 3docSec, ABAIKUNANBAEV, btk, dev0cloo, dirk_y, grearlake, jaraxxus, keccak123, neumo, oxchsyston, rvierdiiev
22.9603 USDC - $22.96
When a vault is initialized, it sets Max Token Approval for the Yield Vault which allows the Yield Vault to ALWAYS have access to the funds in the vault. Since vaults can be created by anyone as long as they provide an ERC-4626 compliant yield source, an attacker could set up a malicious ERC-4626 contract and set that as the yield source for a newly created Vault. The attacker could then have the malicious contract use SafeTransferFrom to periodically empty the vault of assets that haven't yet been sent to the malicious yield vault.
Manual review
Vaults should only approve tokens when they are being transferred out.
Token-Transfer
#0 - c4-judge
2023-07-16T10:28:49Z
Picodes marked the issue as duplicate of #324
#1 - c4-judge
2023-08-06T10:44:49Z
Picodes changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-08-06T10:45:18Z
Picodes marked the issue as satisfactory
🌟 Selected for report: Jeiwan
Also found by: 0xSmartContract, 0xStalin, 3docSec, ABAIKUNANBAEV, btk, dev0cloo, dirk_y, grearlake, jaraxxus, keccak123, neumo, oxchsyston, rvierdiiev
22.9603 USDC - $22.96
Since vaults can be created by anyone as long as they provide an ERC-4626 compliant yield source, an attacker could set up a malicious ERC-4626 contract and set that as the yield source for a newly created Vault. The attacker could then have the malicious contract use revert whenever a withdraw call is made to it.
Manual Review
DoS
#0 - c4-judge
2023-07-16T21:47:39Z
Picodes marked the issue as duplicate of #324
#1 - c4-judge
2023-08-06T10:45:12Z
Picodes marked the issue as satisfactory