Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2021-11-STREAMING-FINDINGS-ISSUES-209
HistoryDec 06, 2021 - 12:00 a.m.

Locke.sol:Stream - arbitraryCall can be used to drain incentive tokens

2021-12-0600:00:00
Code4rena
github.com
5
JSON

Handle

ScopeLift

Vulnerability details

Impact

Governor can drain incentive balance via arbitraryCall

Proof of Concept

The Stream contract offers createIncentive <https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L500&gt; and claimIncentive <https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L516&gt; which is the way the contract β€œexpects” incentives to go. Access to claiming incentives is limited to the stream creator after the stream ends.

We assume the governor is untrusted, therefore we check to ensure the depositToken and rewardToken balances don’t change. The contract also prevents against direct calls to incentive token contracts that have an incentive balance: L735 <https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L735&gt;

However a malicious governor could optimistically call token.approve(maliciousActor, MAX_UINT) on tokens where an incentive is expected. maliciousActor could be any address, and could then transfer out incentive balance whenever an incentive is created.

Tools Used

Recommended Mitigation Steps

Replace arbitraryCall with more targeted behavior

Or

Inside arbitraryCall, block calls to approve and safeApprove by checking the function selector encoded in data

The text was updated successfully, but these errors were encountered:

All reactions

JSON