Root Cause: Insufficient validation of remainingAmount
and transferAmount
.
Impact: Funds at risk due to potential manipulation of refund amounts, leading to excessive refunds.
In the abortAskOffer
function allows manipulation of refund calculations, potentially leading to excessive refunds and financial losses for the protocol.
Insufficient validation of remainingAmount
and transferAmount
allows manipulation of refund calculations, leading to excessive refunds.
abortAskOffer
Offer Creation:
A maker creates an offer with specific parameters (e.g., amount
, points
, collateralRate
).
The offer is in the Virgin
state, and the collateral is transferred to the contract.
Taker Interaction:
One or more takers interact with the offer, using a portion of the points.
The offer's usedPoints
is updated accordingly.
Step 1: Attacker Identifies Vulnerable Offer
The attacker identifies an offer that has been partially used but is still in a state where it can be aborted (Virgin
or Canceled
).
Step 2: Attacker Manipulates Points
The attacker manipulates the points used in the offer to create a scenario where the remainingAmount
calculation becomes favorable.
For example, the attacker ensures that remainingAmount
is calculated in such a way that it exceeds the actual amount that should be refunded.
Step 3: Attacker Calls abortAskOffer
The attacker calls the abortAskOffer
function with the manipulated offer.
The function calculates remainingAmount
and transferAmount
based on the manipulated points.
Step 4: Refund Calculation
The function calculates the refund amount:
Step 5: Excessive Refund Issued
Due to the manipulated points and inadequate validation, the makerRefundAmount
is calculated to be higher than it should be.
The attacker receives an excessive refund, draining more funds than they are entitled to.
The attacker successfully exploits the refund calculation logic to receive an excessive refund.
The protocol loses funds due to the overpayment
for detail impact see above vulnerablity outcome
Exploiting this vulnerability can lead to excessive refunds, draining funds from the protocol.
manual code review
Add checks to ensure that the state transitions are consistent and valid.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.