Platform: Code4rena
Start Date: 22/07/2021
Pot Size: $80,000 USDC
Total HM: 6
Participants: 14
Period: 7 days
Judge: ghoulsol
Total Solo HM: 3
Id: 21
League: ETH
Rank: 7/14
Findings: 2
Award: $3,699.70
🌟 Selected for report: 1
🚀 Solo Findings: 0
jonah1005
In PoolOpen contract, pools' authentication is done through baseData. However, it handles token transfer based on the given parameter token. By appending a real token address at the end of the transaction and a fake address in the function parameter, attackers can stake an unlimited amount.
A simple exploit would be:
data = sherlock.encodeABI(fn_name='stake', args = [1*10**18, w3.eth.accounts[0], fake_token.address]) w3.eth.send_transaction({'from': admin, 'to': sherlock.address, 'data': data+dai.address[2:]})
baseData queries dai's pool while the contract charges the user's fakeToken
hardhat
The usage of baseData() is dangerous. The little benefit of gas efficiency comes with great cost in readibility. I recommend the dev using standard solidity.
PoolStrategy, PoolBase, and PoolOpen use the same pattern. There's should be a few exploits in these contracts. Since the root cause is similar, I skip those issues in order to not spam the system. I recommend the team check all these contracts if baseData is needed.
#0 - Evert0x
2021-07-30T14:49:51Z
#90
🌟 Selected for report: jonah1005
229.9835 USDC - $229.98
jonah1005
Using calldata for function parameter is a slightly more gas efficient
https://github.com/code-423n4/2021-07-sherlock/blob/main/contracts/facets/SherX.sol#L192-L225
None