Back to hihen's contests

prePO contest - hihen's results

Decentralized Exchange for Pre-IPO Stocks & Pre-IDO Tokens.

General Information

Platform: Code4rena

Start Date: 09/12/2022

Pot Size: $36,500 USDC

Total HM: 9

Participants: 69

Period: 3 days

Judge: Picodes

Total Solo HM: 2

Id: 190

League: ETH

prePO

Findings Distribution

Researcher Performance

Rank: 44/69

Findings: 1

Award: $52.84

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryprePO

Findings Information

🌟 Selected for report: obront

Also found by: 8olidity, HE1M, Madalad, Trust, cccz, csanuragjain, deliriusz, hansfriese, hihen, joestakey, rvierdiiev, wait, zaskoh

Labels

bug
2 (Med Risk)
satisfactory
duplicate-254

Awards

52.8446 USDC - $52.84

External Links

Link to GitHub issue

Lines of code

https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L80-L83 https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L85-L88 https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L112-L115

Vulnerability details

Impact

Hacked admin or malicious admin can immediately steal all baseToken that users deposit in Collateral.

If Collateral is deployed as a upgradable proxy, the collateral contract admin could also steal all assets approved to this contract address.

Proof of Concept

Hacked admin or malicious admin can steal the assets by following these steps:

  1. Use the DEFAULT_ADMIN_ROLE: grant his own account X roles(MANAGER_WITHDRAW_ROLE, SET_MANAGER_ROLE, SET_MANAGER_WITHDRAW_HOOK_ROLE), and accept them.
  2. Use account X: call Collateral.setManagerWithdrawHook() with _newManagerWithdrawHook = 0 to disable ManagerWithdrawHook.
  3. Use account X: call Collateral.setManager() with _newManager = X.
  4. Use account X: call Collateral.managerWithdraw() to transfer all baseToken to X. (becase managerWithdrawHook is 0 and manager is X now)

If Collateral is deployed as a proxy(like uups, 1967), the proxy admin could steal all baseToken in this contract and all assets approved to this contract by upgrading Collateral to a new malicious contract.

Tools Used

VS Code

For the Collateral contract, the following change is recommended:

  • managerWithdrawHook should be set to a valid contract at initialize()
  • Add a timelock to disable Collateral.managerWithdraw() for some time when either managerWithdrawHook or manager changes.

For proxy contract, two options are recommended:

  1. Deploy Collateral behind a non-upgradable proxy.
  2. The upgradable proxy should have a timelock when upgrade, give users enough time to withdraw and cancel their approvals before some malicious action becomes possible.

#0 - hansfriese

2022-12-14T18:09:54Z

duplicate of #254

#1 - c4-judge

2022-12-17T10:04:22Z

Picodes marked the issue as duplicate of #254

#2 - c4-judge

2023-01-01T17:43:11Z

Picodes marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter