Locke.sol:Stream - arbitraryCall can be used to drain incentive tokens
#209
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
Comments
code423n4
added
3 (High Risk)
|
dupe of #199 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
ScopeLift
Vulnerability details
Impact
Governor can drain incentive balance via
arbitraryCallProof of Concept
The Stream contract offers
createIncentivehttps://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L500 andclaimIncentivehttps://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L516 which is the way the contract "expects" incentives to go. Access to claiming incentives is limited to the stream creator after the stream ends.We assume the governor is untrusted, therefore we check to ensure the depositToken and rewardToken balances don't change. The contract also prevents against direct calls to incentive token contracts that have an incentive balance: L735 https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L735
However a malicious governor could optimistically call
token.approve(maliciousActor, MAX_UINT)on tokens where an incentive is expected. maliciousActor could be any address, and could then transfer out incentive balance whenever an incentive is created.Tools Used
Recommended Mitigation Steps
Replace
arbitraryCallwith more targeted behaviorOr
Inside
arbitraryCall, block calls toapproveandsafeApproveby checking the function selector encoded indataThe text was updated successfully, but these errors were encountered: