The addUnripeToken function in the UnripeFacet allows the addition of new Unripe Tokens. However, it does not check if the unripeToken already exists in s.sys.silo.unripeSettings, leading to potential overwrites and inconsistencies. This issue can be exploited by malicious users to cause operational disruptions and financial losses, undermining the protocol's integrity and user trust.
1: Initial Addition of Unripe Token:
i: A malicious user adds a new Unripe Token with legitimate parameters
unripeToken = 0xTokenAddress1
underlyingToken = 0xUnderlyingToken1
root = 0xRoot1
ii: This creates an entry in s.sys.silo.unripeSettings for 0xTokenAddress1 with the specified settings.
2: Overwriting Existing Unripe Token:
i: The malicious user calls the addUnripeToken function again with the same unripeToken but different parameters:
unripeToken = 0xTokenAddress1
underlyingToken = 0xUnderlyingToken2
root = 0xRoot2
ii: Since there is no check for existing tokens, this overwrites the previous settings for 0xTokenAddress1 with the new parameters.
3: Inconsistency Creation:
The protocol now holds incorrect or inconsistent data for 0xTokenAddress1.
Users who expected 0xTokenAddress1 to convert to 0xUnderlyingToken1 now face unexpected behavior, receiving 0xUnderlyingToken2 instead.
Claims verification using the Merkle root is disrupted, potentially allowing fraudulent claims.
4: Repeated Exploitation:
The malicious user can repeat this process multiple times, each time changing the underlying token and Merkle root, causing continuous disruptions and inconsistencies.
5: Operational Disruption:
By exploiting this repeatedly, the malicious user can cause significant operational issues, making it difficult for the protocol to maintain reliable and consistent token settings.
Overwriting existing settings for Unripe Tokens can lead to inconsistencies and potential security vulnerabilities.
Malicious users could exploit this by repeatedly adding the same Unripe Token with different settings, causing operational disruptions and financial losses.
Manual review
Implement a check to ensure that the unripeToken does not already exist in the settings before adding
Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.