Steadefi

Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Submission Details
Severity: high
Invalid

External Calls with Unknown Addresses which can result in arbitrary contract call

Summary

The smart contract code contains external calls to addresses provided by the user, specifically in the form of self.depositCache.user.call. These calls allow arbitrary external contract calls,

Vulnerability Details

In the processDeposit function, the code performs an external call using the address provided by self.depositCache.user. The address is not validated, and the call lacks proper function signatures, allowing arbitrary calls to external contracts.

(bool success, ) = self.depositCache.user.call{value: address(this).balance}("");
require(success, "Transfer failed.");

Impact

  • Asset Lockup: If a user or attacker provides an address pointing to a contract that does not handle received assets correctly, it may lead to a lockup of assets within the contract. The external contract may not return assets, making them inaccessible.

  • Denial of Service Attacks: Attackers can use the vulnerability to call external contracts that are intentionally designed to consume excessive resources, leading to a DoS attack on the vulnerable contract.

Tools Used

Manual code review

Recommendations

  • Validate the External Address: Implement a validation step to ensure that the provided address (self.depositCache.user) is a valid and trusted contract. Use whitelists or other mechanisms to control which addresses are permitted to interact with the contract.

  • Implement Function Signatures: If external contract calls are necessary as is in this case, use function signatures to specify and restrict the functions that can be invoked. This reduces the risk of arbitrary calls to functions with unintended consequences.

Updates

Lead Judging Commences

hans Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.