Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anyone can remove existing term without queueing through setTerms() #59

Open
c4-bot-7 opened this issue Apr 16, 2024 · 4 comments
Open

Anyone can remove existing term without queueing through setTerms() #59

c4-bot-7 opened this issue Apr 16, 2024 · 4 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-06 primary issue Highest quality submission among a set of duplicates 🤖_11_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@c4-bot-7
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-04-gondi/blob/b9863d73c08fcdd2337dc80a8b5e0917e18b036c/src/lib/pools/PoolOfferHandler.sol#L110

Vulnerability details

Impact

In PoolOfferHandler, new terms require a two-step process for setting (setTerms() and confirmTerms()). The setTerm() function is onlyOwner, but the confirmTerms() function can be called by anyone. This function uses the provided input __terms from the caller to execute the logic. This could enable an attacker to remove all existing terms, even if the owner does not intend to do so (without pending through the setTerms() function).

function confirmTerms(TermsKey[] calldata _termKeys, Terms[] calldata __terms) external { 
    if (block.timestamp - pendingTermsSetTime < NEW_TERMS_WAITING_TIME) {
        revert TooSoonError();
    }
    for (uint256 i = 0; i < __terms.length; i++) {
        if (_termKeys[i].duration > getMaxDuration) {
            revert InvalidDurationError();
        }
        uint256 pendingAprPremium = _pendingTerms[_termKeys[i].collection][_termKeys[i].duration][_termKeys[i]
            .maxSeniorRepayment][__terms[i].principalAmount];
        // @audit Can be used to remove terms without pending through setTerm()
        if (pendingAprPremium != __terms[i].aprPremium) {
            revert InvalidTermsError();
        }
        _terms[_termKeys[i].collection][_termKeys[i].duration][_termKeys[i].maxSeniorRepayment][__terms[i]
            .principalAmount] = __terms[i].aprPremium;
        delete _pendingTerms[_termKeys[i].collection][_termKeys[i].duration][_termKeys[i]
            .maxSeniorRepayment][__terms[i].principalAmount];
    }
    pendingTermsSetTime = type(uint256).max;

    emit TermsSet(_termKeys, __terms);
}

Proof of Concept

Consider the following scenario

  1. The pool has 5 existing terms. Now the owner wants to create a new term in the Pool, so they call setTerms() with the __terms they want to set up. The new term is pending confirmation after a waiting period.
  2. After NEW_TERMS_WAITING_TIME, an attacker calls confirmTerms() with _termKeys set to all 5 existing terms and __terms.aprPremium = 0.
  3. The function executes with the input provided by the attacker. Since the pendingAprPremium of these terms is reset to 0 after it is confirmed earlier, the check if (pendingAprPremium != __terms[i].aprPremium) is bypassed. The attacker could set the _terms[][][][] mapping of existing loans to 0.

Tools Used

Manual Review

Recommended Mitigation Steps

Only allow the owner to call confirmTerms().

Assessed type

Invalid Validation
@c4-bot-7 c4-bot-7 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Apr 16, 2024
c4-bot-7 added a commit that referenced this issue Apr 16, 2024
@c4-bot-7
minhquanym issue #59
f284b86
@c4-bot-12 c4-bot-12 added the 🤖_11_group AI based duplicate group recommendation label Apr 17, 2024
@c4-judge
Copy link
Contributor

0xA5DF marked the issue as primary issue

@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Apr 17, 2024
@0xend 0xend added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Apr 19, 2024
@c4-judge
Copy link
Contributor

0xA5DF marked the issue as satisfactory

@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report labels Apr 20, 2024
@c4-judge
Copy link
Contributor

0xA5DF marked the issue as selected for report

@0xend
Copy link

0xend commented Apr 20, 2024

https://github.com/pixeldaogg/florida-contracts/pull/367

@C4-Staff C4-Staff added the M-06 label Apr 24, 2024
@c4-bot-9 c4-bot-9 mentioned this issue May 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-06 primary issue Highest quality submission among a set of duplicates 🤖_11_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@0xend @c4-judge @C4-Staff @c4-bot-7 @c4-bot-12