Althea Liquid Infrastructure - petro_1912's results

Lines of code

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/tree/main/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L142-L145

Vulnerability details

Impact

An approved holder with zero balance can be added several times to holders, so it can receive rewards several times during a revenue distribution, so by exploiting it, can drain all distributableERC20s from LiquidInfrastructureERC20.

Proof of Concept

_beforeTokenTransfer function doesn't check the amount being received at all, so any account can send 0 tokens to approved holder(which has zero balance), then it can be added in holders though it has zero balance.
_afterTokenTransfer function doesn't check the amount and updated balance of to account too, so it exists in holders.

Attack Scenario A, B = approved holder, C = any account

1. Approved holder(A) sends his all tokens to another Approved holder(B) to empty his balance.

// in A = Approved Holder
IERC20(liquidInfrastructureERC20).transfer(B, IERC20(liquidInfrastructureERC20).balanceOf(A));

2. Any EOA(B or, C = another) sends zero token to A, then A can be added into holders array. This process can be repeated as many as possible.

// in EOA (B or C = it doesn't need to be approved holder )
for (uint256 i = 0; i < 1000; i++) {
   IERC20(liquidInfrastructureERC20).transfer(A, 0);
}

then holders can have many A items. but at the moment balance of A is zero, so can not receive a revenue.

// holders = [..., A, A, A, A]

4. B sends token back to A to receive a revenue.

// in B 
IERC20(liquidInfrastructureERC20).transfer(A, amount);

5. During distribution, it can receive rewards many times from the contract.

Tools Used

Manual review

Recommended Mitigation Steps

Holder with zero balance should not be added to holders and duplication should not be allowed in holders.

    function _beforeTokenTransfer(
        address from,
        address to,
        uint256 amount
    ) internal virtual override {
        require(!LockedForDistribution, "distribution in progress");
+	require(amount != 0, "zero amount");
        if (!(to == address(0))) {
            require(
                isApprovedHolder(to),
                "receiver not approved to hold the token"
            );
        }
        if (from == address(0) || to == address(0)) {
            _beforeMintOrBurn();
        }
        bool exists = (this.balanceOf(to) != 0);
        if (!exists) {
+	   bool isInHolder = false;
+	   for (uint i = 0; i < holders.length; i++) {
+             if (holders[i] == to) {
+                 isInHolder = true;
+                 break;
+             }
+          }
+	   if (!isInHolder)
+		holders.push(to); 
-	   holders.push(to);
        }
    }

Assessed type

Invalid Validation