Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-05-FACTORYDAO-FINDINGS-ISSUES-143
HistoryMay 08, 2022 - 12:00 a.m.

Reward Token Transfer Failure Can Lead to Loss of Deposit in PermissionlessBasicPoolFactory

2022-05-0800:00:00
Code4rena
github.com
9
reward token transfer
deposit loss
vulnerability
mitigation steps
JSON

Lines of code

Vulnerability details

Impact

If transfer of any reward token returns False or reverts for whatever reason, users who deposited will not be able to withdraw their deposit. A malicious pool creator could abuse this to lock tokens from victims by using two reward tokens, one normal/valuable token that transfers normally, and one β€œevil” token that will revert whenever its transfer function is called during a withdraw

Proof of Concept

  1. Attacker creates an ERC20 token that has a backdoor they can toggle that will cause all transfers to revert.
  2. Attacker creates a pool and adds to it a reward token such as WETH (to attract victims/users) and their malicious token created in step 1.
  3. Victim/user deposits depositToken into evil pool.
  4. Attacker toggles switch on evil token so now all transfers fail.
  5. Victim/user tries to withdraw their depositToken from evil pool. The transfer of the the depositToken and WETH would succeed but because the transfer of the evil token reverts, the entire call to withdraw reverts and the victim gets back nothing.

Recommended Mitigation Steps

Add an emergency withdraw function that allows withdrawing one’s deposit without receiving any reward token.

In addition, one might want to consider adding a function allowing users to receive each reward token separately.

The text was updated successfully, but these errors were encountered:

All reactions

JSON