ParaSpace contest - ksk2345's results

Lines of code

https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/pool/PoolCore.sol#L156

Vulnerability details

Function supplyWithPermit is incompatible with DAI permit interface. This function may work for other stablecoins like USDC, USDT, but users of DAI may be at disadvantage.

Impact

supplyWithPermit() in PoolCore.sol is an external function which can be called directly bypassing UI. In such cases, the user will not be able to supply DAI when using supplyWithPermit() Functionality of supplyWithPermit is broken for DAI due to interface/parameter mismatch.

Proof of Concept

Contract : PoolCore.sol Function : supplyWithPermit This internally calls IERC20WithPermit(asset).permit( msg.sender, address(this), amount, deadline, permitV, permitR, permitS );

Whereas in the DAI contract permit is defined as below

function permit(address holder, address spender, uint256 nonce, uint256 expiry, bool allowed, uint8 v, bytes32 r, bytes32 s) external

ref: https://etherscan.io/address/0x6b175474e89094c44da98b954eedeac495271d0f#code

There is an additional bool field 'allowed' in DAI permit, and also the nonce parameter will be incorrect .

Recommended Mitigation Steps

Customise this function supplyWithPermit to handle specifically DAI with other stablecoins. Check for DAI as asset and call permit with different parameter/signature.