Submission Details
Impact:
Likelihood:
setAllowedSellToken Does Not Restrict to Approved Tokens
Root + Impact
Description
-
Only four token are allowed to sell
-
setAllowedSellToken doesn't restrict which token to sell.
function setAllowedSellToken(address _token, bool _isAllowed) external onlyOwner {
if (_token == address(0) || _token == address(iUSDC)) revert InvalidToken(); // Cannot allow null or USDC itself
allowedSellToken[_token] = _isAllowed;
//@audit if(_token != address(iWETH) | _token != address(iWBTC) | _token != address(iWSOL) | _token != address(iUSDC)) revert InvalidToken(); ))
emit TokenAllowed(_token, _isAllowed);
}
Risk
Likelihood:
-
Reason 1 Human error(owner might add malicious tokens)
-
Reason 2 Attacker become owner (private key leak)
Impact:
-
The
onlyOwnerrole can whitelist any ERC20 token (exceptaddress(0)/USDC). -
Malicious token can leads to loss of funds.
Proof of Concept Owner (or compromised owner) calls:
Buyer pays USDC for the malicious token.
Attacker steals funds or causes trade to fail.
setAllowedSellToken(address(maliciousToken), true);
Recommended Mitigation Include given require checks.
- remove this code
+ require(
_token == address(iWETH) ||
_token == address(iWBTC) ||
_token == address(iWSOL) ,
"InvalidToken: Only iWETH, iWBTC, iWSOL, or iUSDC allowed"
);
Rewards breakdown
nSLOC
217This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.