Back to nedodn's contests

LI.FI contest - nedodn's results

Bridge & DEX Aggregation.

General Information

Platform: Code4rena

Start Date: 24/03/2022

Pot Size: $75,000 USDC

Total HM: 15

Participants: 59

Period: 7 days

Judge: gzeon

Id: 103

League: ETH

LI.FI

Findings Distribution

Researcher Performance

Rank: 39/59

Findings: 1

Award: $196.58

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLI.FI

Findings Information

🌟 Selected for report: hake

Also found by: Jujic, WatchPug, catchup, danb, defsec, kirk-baird, nedodn, shenwilly, sorrynotsorry

Labels

bug
duplicate
2 (Med Risk)
sponsor acknowledged

Awards

196.5762 USDC - $196.58

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Libraries/LibSwap.sol#L42 https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/DexManagerFacet.sol#L17 https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/Swapper.sol#L15

Vulnerability details

Impact

There is a common vulnerability with aggregator/bridge contracts where passing in arbitrary calldata can do unwanted actions such as steal tokens that were approved to that contract. While there is a whitelist system set up, there is no stopping a malicious or comprised owner account from adding contracts to that list and executing these calls themselves. While the owners may be trustworthy, when the risks are total loss of funds for a user due to an approval (commonly used in the space and left) risk of external compromises should be taken seriously (see recent ronin/axs hack)

Proof of Concept

  1. Owner adds token contracts and transferFrom calldata to whitelist
  2. Owner inserts transferFrom data into _swapData
  3. Owner executes a swap that steals tokens that have been approved by users.

Tools Used

Line by line analysis

While I will admit these types of issues are tough to solve without some degree of trust, one can reduce the risk by adding in a timelock to the whitelist so that owners have a way to monitor if a malicious owner is attempting to steal.

#0 - H3xept

2022-04-12T09:20:02Z

The bridges/swaps ecosystem is continually changing. Our mission is to allow seamless UX and provide users with new bridging and swapping routes as fast as possible. This comes at the cost of having some degree of centralization. We chose the Diamond standard to be able to constantly add new bridges and update the existing ones as they improve and update.

We agree with the increased safety a DAO/Multisign mechanism and will provide them in the future. Timelocks are currently not planned, as we want to be able to react fast if we have to disable bridges for security reasons (e.g. if the underlying bridge is being exploited).

It's also worth noting how we do not perform unlimited approval on user funds.

#1 - H3xept

2022-04-12T09:33:53Z

Duplicate of #65

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter