Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

[M-04] Unrestricted `engine` Parameter Allows Manipulation of `usdToken`

jakefromstatefarm

Summary

In the fulfillSwap function, the engine address is provided as an external input parameter. This engine address is used to retrieve the corresponding usdToken from the MarketMakingEngineConfiguration. If the usdTokenOfEngine mapping is mutable and not properly restricted, a malicious keeper could pass an arbitrary engine address that points to a malicious contract implementing the UsdToken interface. This could allow the attacker to burn unauthorized tokens, execute reentrancy attacks, or steal funds by redirecting token transfers to their own accounts.

Impacted code:

ctx.usdToken = UsdToken(marketMakingEngineConfiguration.usdTokenOfEngine[engine]);

I've rated this as MEDIUM because the exploit equires the ability to submit transactions with arbitrary engine addresses.

Recommendations

Ensure the `engine` parameter is validated against a whitelist of authorized engine addresses before using it to fetch the `usdToken`. Additionally, consider implementing further checks or using a more secure method to associate engines with their tokens to prevent arbitrary manipulation.

For example: implement a whitelist of authorized engine addresses and validate the engine parameter against this list before using it.

mapping(address => bool) private authorizedEngines;

function fulfillSwap(

address user,

uint128 requestId,

bytes calldata priceData,

address engine

)

external

onlyRegisteredSystemKeepers

{

// Validate engine address

require(authorizedEngines[engine], "Unauthorized engine address");

// Existing logic...

UsdToken usdToken = UsdToken(marketMakingEngineConfiguration.usdTokenOfEngine[engine]);

// Rest of the function...

}

function addAuthorizedEngine(address engine) external onlyOwner {

authorizedEngines[engine] = true;

}

function removeAuthorizedEngine(address engine) external onlyOwner {

authorizedEngines[engine] = false;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.