HIGH - Assets can be stolen directly.
An attacker can steal eth from buyout module
The proof of concept1 shows that the same amount of fractions will result in different amount of eth upon cash out.
The first cash out for 1000 FERC1155 token will result in 0.2 ETH. Bob cashes out 1000 FERC1155 again, and he will get 0.2666ā¦ ETH.
The increased payout is coming from other buyout processes, so essentially bob is stealing eth by dividing the payout.
The proof of concept2 demonstrates a scenario, where one can drain eth from buyout module using a vault with supply target as plugin. The plugin enables to mint more FERC1155 tokens on the way.
For both cases the main issue is that the ethBalance is not properly updated:
// modules/Buyout.sol::cash
// the balance should be updated
// Mitigation idea: update the ethBalance
// ethBalance -= buyoutShare;
266 // Transfers buyout share amount to caller based on total supply
267 uint256 totalSupply = IVaultRegistry(registry).totalSupply(_vault);
268 uint256 buyoutShare = (tokenBalance * ethBalance) /
269 (totalSupply + tokenBalance);
270 _sendEthOrWeth(msg.sender, buyoutShare);
However, the existence of plugins made the issue a lot easier to exploit.
foundry
Update the ethBalance before sending ether.
The text was updated successfully, but these errors were encountered:
š 1 ecmendenhall reacted with eyes emoji
All reactions