Lines of code

Vulnerability details

Impact

HIGH - Assets can be stolen directly.
An attacker can steal eth from buyout module

Proof of Concept

• proof of concept1: testCashShare_poc
• proof of concept2: testCashRepeat_poc

The proof of concept1 shows that the same amount of fractions will result in different amount of eth upon cash out.
The first cash out for 1000 FERC1155 token will result in 0.2 ETH. Bob cashes out 1000 FERC1155 again, and he will get 0.2666… ETH.
The increased payout is coming from other buyout processes, so essentially bob is stealing eth by dividing the payout.

The proof of concept2 demonstrates a scenario, where one can drain eth from buyout module using a vault with supply target as plugin. The plugin enables to mint more FERC1155 tokens on the way.

1. setup: other people are using buyout module so there are some eth in the module
2. deploy a vault with the target supply as a plugin, mint function as the selector
3. start the buyout process for the vault
4. end the buyout process successfully
5. now the attacker can mint and cash multiple times, possibly until all the eth are drained from the buyout module

For both cases the main issue is that the ethBalance is not properly updated:

// modules/Buyout.sol::cash
// the balance should be updated
// Mitigation idea: update the ethBalance
// ethBalance -= buyoutShare;

266         // Transfers buyout share amount to caller based on total supply
267         uint256 totalSupply = IVaultRegistry(registry).totalSupply(_vault);
268         uint256 buyoutShare = (tokenBalance * ethBalance) /
269             (totalSupply + tokenBalance);
270         _sendEthOrWeth(msg.sender, buyoutShare);

However, the existence of plugins made the issue a lot easier to exploit.

Tools Used

foundry

Recommended Mitigation Steps

Update the ethBalance before sending ether.

---

The text was updated successfully, but these errors were encountered:

👀 1 ecmendenhall reacted with eyes emoji

All reactions

• 👀 1 reaction