Arbitrary from passed to transferFrom (or safeTransferFrom) in StabilityBranch.sol
Summary
The function fulfillSwap could potentially be exploited when transferring assets from the vault to the engine contract.
If an attacker manipulates vault.indexToken, they could exploit existing approvals and cause unintended fund transfers.
Vulnerability Details
If an attacker manipulates vault.indexToken, they could exploit existing approvals and cause unintended fund transfers.
Passing an arbitrary from address to transferFrom (or safeTransferFrom) can lead to loss of funds, because anyone can transfer tokens from the from address if an approval is made.
The issue occurs when:
The contract allows an untrusted or incorrect
vault.indexTokenaddress.The address has existing approvals from other users or contracts.
Tokens are moved from that address unknowingly due to past approvals.
Impact
Loss of funds from users who previously approved token transfers to vault.indexToken.
Potential exploitation of external contracts that mistakenly approved
vault.indexToken.Unauthorized token transfers leading to financial losses.
Tools Used
Manual review
Recommendations
To mitigate this risk, consider the following options:
1 Restrict vault.indexToken to only trusted vault addresses.
Example:
2 Instead of using vault.indexToken in safeTransferFrom, you could force the sender (msg.sender) to be the one who sends the tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.