DeFiHardhatFoundry
250,000 USDC
View results
Submission Details
Severity: low
Invalid

Lack of Duplicate Token Check Leads to Potential Overwrites and Inconsistencies in the addUnripeToken function

Summary

The addUnripeToken function in the UnripeFacet allows the addition of new Unripe Tokens. However, it does not check if the unripeToken already exists in s.sys.silo.unripeSettings, leading to potential overwrites and inconsistencies. This issue can be exploited by malicious users to cause operational disruptions and financial losses, undermining the protocol's integrity and user trust.

Proof of concept

1: Initial Addition of Unripe Token:

i: A malicious user adds a new Unripe Token with legitimate parameters

  • unripeToken = 0xTokenAddress1

  • underlyingToken = 0xUnderlyingToken1

  • root = 0xRoot1

ii: This creates an entry in s.sys.silo.unripeSettings for 0xTokenAddress1 with the specified settings.

2: Overwriting Existing Unripe Token:

i: The malicious user calls the addUnripeToken function again with the same unripeToken but different parameters:

  • unripeToken = 0xTokenAddress1

  • underlyingToken = 0xUnderlyingToken2

  • root = 0xRoot2

ii: Since there is no check for existing tokens, this overwrites the previous settings for 0xTokenAddress1 with the new parameters.

3: Inconsistency Creation:

  • The protocol now holds incorrect or inconsistent data for 0xTokenAddress1.

  • Users who expected 0xTokenAddress1 to convert to 0xUnderlyingToken1 now face unexpected behavior, receiving 0xUnderlyingToken2 instead.

  • Claims verification using the Merkle root is disrupted, potentially allowing fraudulent claims.

4: Repeated Exploitation:

  • The malicious user can repeat this process multiple times, each time changing the underlying token and Merkle root, causing continuous disruptions and inconsistencies.

5: Operational Disruption:

  • By exploiting this repeatedly, the malicious user can cause significant operational issues, making it difficult for the protocol to maintain reliable and consistent token settings.

Impact

  • Overwriting existing settings for Unripe Tokens can lead to inconsistencies and potential security vulnerabilities.

  • Malicious users could exploit this by repeatedly adding the same Unripe Token with different settings, causing operational disruptions and financial losses.

Test

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;
import "forge-std/Test.sol";
import "../contracts/UnripeFacet.sol";
import "../contracts/libraries/LibAppStorage.sol";
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
contract TestDuplicateUnripeToken is Test {
UnripeFacet unripeFacet;
ERC20 unripeToken;
AppStorage s;
function setUp() public {
unripeFacet = new UnripeFacet();
unripeToken = new ERC20("Unripe Token", "URT");
// Initialize other necessary contracts and states
}
function testDuplicateUnripeTokenAddition() public {
address unripeTokenAddress = address(unripeToken);
address underlyingToken = address(new ERC20("Ripe Token", "RPT"));
bytes32 root = keccak256(abi.encodePacked("merkle root"));
// Add Unripe Token for the first time
unripeFacet.addUnripeToken(unripeTokenAddress, underlyingToken, root);
// Try adding the same Unripe Token again with different underlyingToken and root
address differentUnderlyingToken = address(new ERC20("Different Ripe Token", "DRPT"));
bytes32 differentRoot = keccak256(abi.encodePacked("different merkle root"));
vm.expectRevert("Unripe token already exists");
unripeFacet.addUnripeToken(unripeTokenAddress, differentUnderlyingToken, differentRoot);
}
}

Tools Used

Manual review

Recommendations

Implement a check to ensure that the unripeToken does not already exist in the settings before adding

function addUnripeToken(
address unripeToken,
address underlyingToken,
bytes32 root
) external payable fundsSafu noNetFlow noSupplyChange nonReentrant {
LibDiamond.enforceIsOwnerOrContract();
AppStorage storage s = LibAppStorage.diamondStorage();
// Check if the Unripe Token already exists
require(s.sys.silo.unripeSettings[unripeToken].underlyingToken == address(0), "Unripe token already exists");
// Add the Unripe Token settings
s.sys.silo.unripeSettings[unripeToken] = UnripeTokenSettings({
underlyingToken: underlyingToken,
merkleRoot: root,
balanceOfUnderlying: 0 // Initially set to 0 or some default value
});
emit AddUnripeToken(unripeToken, underlyingToken, root);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational/Gas

Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.