Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Contracts allow sending ETH on calls which does not expect it #71

Open
code423n4 opened this issue Dec 14, 2021 · 2 comments
Open

Contracts allow sending ETH on calls which does not expect it #71

code423n4 opened this issue Dec 14, 2021 · 2 comments
Labels
1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)

Comments

@code423n4
Copy link
Contributor

Handle

TomFrenchBlockchain

Vulnerability details

Impact

Detailed description of the impact of this finding.

Proof of Concept

Take for example the depositCollateral function. It's payable but the pool may not use ETH as collateral

https://github.com/code-423n4/2021-12-sublime/blob/9df1b7c4247f8631647c7627a8da9bdc16db8b11/contracts/Pool/Pool.sol#L175-L179

In the case where the user is performing a direct deposit then we'll pull in the erc20 collateral asset using the transferTokens function however there's no check for msg.value == 0 when transferring an ERC20 asset.

https://github.com/code-423n4/2021-12-sublime/blob/9df1b7c4247f8631647c7627a8da9bdc16db8b11/contracts/SavingsAccount/SavingsAccountUtil.sol#L98-L127

Similarly when depositing ETH from a savings account any ETH in msg.value will be lost.

Recommended Mitigation Steps

Add a check that msg.value is zero on all code paths which do not handle ETH.

Consider whether to simplify to just use WETH.
@code423n4 code423n4 added 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working labels Dec 14, 2021
code423n4 added a commit that referenced this issue Dec 14, 2021
@code423n4
TomFrenchBlockchain issue #71
db35827
@ritik99 ritik99 added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Dec 23, 2021
@ritik99
Copy link
Collaborator

ritik99 commented Dec 23, 2021

We'll add extra checks on our end, but the underlying issue would stem from the end-user not performing proper checks - sending ETH during the ERC20 pulls when it isn't required. payable is necessary because there are instances where ETH could be the collateral

@ritik99 ritik99 mentioned this issue Dec 27, 2021
Closed
@0xean
Copy link
Collaborator

0xean commented Jan 21, 2022

going to leave as low risk, certainly would be a user error, but doesn't mean it doesn't result in a bad outcome that could be mitigated with the checks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ritik99 @0xean @code423n4