The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

LiquidationPoolManager ERC20 tokens can be drained from the LiquidationPool

zigtur

Vulnerability Details

The Liquidation Pool Manager contract approves the Liquidation Pool to spend an amount of token in
two cases: during a fee distribution and during a liquidation. If specific conditions are met,
the approved amount will not be spent by the Liquidation Pool and will remain available until the
approval amount is modified.

During a fee distribution in the distributeFees function of the LPManager, the LPManager approves
the Liquidation Pool for a specific amount of token which is _feesForPool. Then, the LPManager
calls the distributeFees function of the Liquidation Pool.

This function checks that getTstTotal() > 0 before spending the approved amount of tokens.
Otherwise, it does not spend the fund. Then, the LPManager transfer all its token to the protocol.

Once this scenario is met, an attacker can wait until the LPManager receives token. After the balance
of LPManager is not zero, the attacker can transfer the token from the LPManager to the Liquidation
Pool by calling distributeAssets on the Liquidation Pool.

Impact

Attacker can force transfer from the LPManager to the LP.

Tools Used

Scope:

https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPoolManager.sol#L37-L38
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L184
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L232

PoC - Workflow

The general workflow of the vulnerability is:

LiquidationPoolManager:distributeFees:
1. 1000 EUROs tokens are approved to LP
2. LiquidationPoolManager:distributeFees is called by LPM
  1. getTstTotal() == 0, so the 1000 EUROs tokens are not transfered
3. LPM transfer the remaining EUROs to the protocol
4. The approval is not reset to zero and not spent!
Anybody send 500 EUROs tokens to the LPM
Attacker calls LiquidationPool:distributeAssets:
1. LP transfer 500 EUROs tokens from LPM to LP

As a result, the attacker was able to drain tokens from the LPM to the LP.
In practice, this can be done by holders to earn more tokens.

Recommendations

Consider resetting the approval to zero after calling the Liquidation Pool at location: https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPoolManager.sol#L38.

A second way to fix it is to restrict the access to distributeAssets by adding the onlyManager modifier.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

distributeAssets-issue

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.