Platform: Code4rena
Start Date: 25/08/2022
Pot Size: $75,000 USDC
Total HM: 35
Participants: 147
Period: 7 days
Judge: 0xean
Total Solo HM: 15
Id: 156
League: ETH
Rank: 36/147
Findings: 2
Award: $536.51
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: zzzitron
Also found by: Ruhum, Trust, berndartmueller, csanuragjain, pashov, sorrynotsorry
Multiple Withdrawal Attack Vector in TRSRY.sol
The TRSRY.sol has setApprovalFor method to set approval for specific withdrawer addresses.
The function is as below;
function setApprovalFor( address withdrawer_, ERC20 token_, uint256 amount_ ) external permissioned { withdrawApproval[withdrawer_][token_] = amount_; emit ApprovedForWithdrawal(withdrawer_, token_, amount_); }
However, a malicious/compromised withdrawer may monitor the mempool for this new setting and can frontrun it by withdrawing the existing approval amount.So the account will have a fresh approval and a executed withdrawal.
Manual Review
The team migh consider to add require(withdrawApproval[withdrawer_][token_] = 0);, which will prevent accounts from hitting the problem.
#0 - 0xean
2022-09-16T21:07:59Z
dupe of #410
🌟 Selected for report: zzzitron
Also found by: 0x040, 0x1f8b, 0x52, 0x85102, 0xDjango, 0xNazgul, 0xNineDec, 0xSky, 0xSmartContract, 0xkatana, 8olidity, Aymen0909, Bahurum, BipinSah, Bnke0x0, CRYP70, CertoraInc, Ch_301, Chandr, Chom, CodingNameKiki, Deivitto, DimSon, Diraco, ElKu, EthLedger, Funen, GalloDaSballo, Guardian, IllIllI, JansenC, Jeiwan, Lambda, LeoS, Margaret, MasterCookie, PPrieditis, PaludoX0, Picodes, PwnPatrol, RaymondFam, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, StevenL, The_GUILD, TomJ, Tomo, Trust, Waze, __141345__, ajtra, ak1, apostle0x01, aviggiano, bin2chen, bobirichman, brgltd, c3phas, cRat1st0s, carlitox477, cccz, ch13fd357r0y3r, cloudjunky, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, devtooligan, dipp, djxploit, durianSausage, eierina, enckrish, erictee, fatherOfBlocks, gogo, grGred, hansfriese, hyh, ignacio, indijanc, itsmeSTYJ, ladboy233, lukris02, martin, medikko, mics, natzuu, ne0n, nxrblsrpr, okkothejawa, oyc_109, p_crypt0, pfapostol, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, sorrynotsorry, tnevler, tonisives, w0Lfrum, yixxas
54.3128 DAI - $54.31
setDebt function of TRSRY.sol has no comparison of financial values and sets/erase debts for arbitrary addresses for arbitrary amounts.
The TRSRY.sol has setDebt function to renew the debtof an address to a new ERC20 token in special cases. However, it's not clear or in guidance to which value it will be renewed. It only compares the amount of both tokens only. It can be abused very easily once any human error is engaged by miscalculation.One more concern is that the function can erase/increase any debt of any addres arbitrarily.
The function is as below;
function setDebt( ERC20 token_, address debtor_, uint256 amount_ ) external permissioned { uint256 oldDebt = reserveDebt[token_][debtor_]; reserveDebt[token_][debtor_] = amount_; if (oldDebt < amount_) totalDebt[token_] += amount_ - oldDebt; else totalDebt[token_] -= oldDebt - amount_; emit DebtSet(token_, debtor_, amount_); }
Manual Review
The team migh consider to add more checks/conditions to minimize the risk.
#0 - ind-igo
2022-09-08T04:57:54Z
This is intended to be a very safeguarded function, not to be used unless in extreme circumstances. That is why it is permissioned.
#1 - 0xean
2022-09-19T17:07:31Z
Downgrading to QA.