Submission Details
Severity:
User can call Tractor blueprint through Farm and collect excess ETH
Summary
Blueprint executor might steal excess eth
Vulnerability Details
When calling anything through farm with ETH, s.sys.isFarm is set to 2. This tells the contract to not refund any excess eth until the transaction ends.
function farm(
bytes[] calldata data
) external payable fundsSafu withEth returns (bytes[] memory results) {
results = new bytes[](data.length);
for (uint256 i; i < data.length; ++i) {
results[i] = LibFarm._farm(data[i]);
}
}
modifier withEth() {
if (msg.value > 0) s.sys.isFarm = 2;
_;
if (msg.value > 0) {
s.sys.isFarm = 1;
LibEth.refundEth();
}
}
}
However, this can be used by a blueprint executor, to set the flag to not return any excess eth. Then if the blueprint includes action that should usually refund the eth (such as LibWeth.deposit), it will not be done and it will be saved for the executor at the end.
Impact
Blueprint executor can steal excess eth
Tools Used
Manual review
Recommendations
Fix is non-trivial
Updates
Appeal created
deadrosesxyz
about 1 year ago
deadrosesxyz
about 1 year ago
giovannidisiena
about 1 year ago
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.