Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-08-MIMO-FINDINGS-ISSUES-4
HistoryAug 02, 2022 - 12:00 a.m.

Attacker can empty vaults

2022-08-0200:00:00
Code4rena
github.com
4
JSON

Lines of code
<https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/actions/MIMOEmptyVault.sol#L14&gt;

Vulnerability details

Impact

Both MIMOEmptyVault and MIMOLeverage contracts share same signature/definition, an attacker can gain control of EmptyVault contract, issue a flash loan, and empty the vaults.

Proof of Concept

See the test below. In below test, EmptyVault contract is deployed and the referece is stored in Leverage contract variable.

> await deploy(“MIMOEmptyVault”, {
from: owner.address,
args: [addressProvider.address, dexAddressProvider.address, lendingPool.address, mimoProxyRegistry.address],
});
const leverage: MIMOLeverage = await ethers.getContract(“MIMOEmptyVault”);

Now I have gained access to EmptyVault and I can execute operations.

Tools Used

yarn test

Recommended Mitigation Steps

  1. Check reference of callin contract in both the contracts

The text was updated successfully, but these errors were encountered:

All reactions

JSON