Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible incentive theft through the arbitraryCall() function #199

Open
code423n4 opened this issue Dec 6, 2021 · 1 comment
Open

Possible incentive theft through the arbitraryCall() function #199

code423n4 opened this issue Dec 6, 2021 · 1 comment
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Handle

toastedsteaksandwich

Vulnerability details

Impact

The Locke.arbitraryCall() function allows the inherited governance contract to perform arbitrary contract calls within certain constraints. Contract calls to tokens provided as incentives through the createIncentive() function are not allowed if there is some still some balance according to the incentives mapping (See line 735 referenced below).

However, the token can still be called prior any user creating an incentive, so it's possible for the arbitraryCall() function to be used to set an allowance on an incentive token before the contract has actually received any of the token through createIncentive().

In summary:

  1. If some possible incentive tokens are known prior to being provided, the arbitraryCall() function can be used to pre-approve a token allowance for a malicious recipient.
  2. Once a user calls createIncentive() and provides one of the pre-approved tokens, the malicious recipient can call transferFrom on the provided incentive token and withdraw the tokens.

Proof of Concept

https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L735

Recommended Mitigation Steps

Recommendation 1

Limit the types of incentive tokens so it can be checked that it's not the target contract for the arbitraryCall().

Recommendation 2

Validate that the allowance of the target contract (if available) has not changed.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Dec 6, 2021
code423n4 added a commit that referenced this issue Dec 6, 2021
@code423n4
toastedsteaksandwich issue #199
cc0150e
@brockelmore brockelmore mentioned this issue Dec 8, 2021
Closed
@brockelmore
Copy link
Collaborator

brockelmore commented Dec 8, 2021
edited
Loading

duplicates: #209, #200, #174, #141, #107, #48

@brockelmore brockelmore added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Dec 8, 2021
This was referenced Jan 14, 2022
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brockelmore @code423n4