Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-09-TRIBE-FINDINGS-ISSUES-234
HistorySep 12, 2022 - 12:00 a.m.

There is no time lock mechanism in RariMerkleRedeemer and constructor of RariMerkleRedeemer contract don't check for maximum value for cTokenExchangeRates, if high value have been set by mistake then attacker can withdraw most of baseToken balance of contract immediately

2022-09-1200:00:00
Code4rena
github.com
5
rarimerkleredeemer
contract vulnerability
time lock
JSON

Lines of code
<https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L122-L135&gt;

Vulnerability details

Impact

Exchange rates are used to calculate baseToken amounts that are going to be transferred to the user, if exchange rates are set as a very high number by mistake, an attacker can withdraw baseToken balance of the contract. there should be some checks in the contract that prevent this type of mistake or there should be some time lock mechanism to set these values.

Proof of Concept

This constructor() and _configureExchangeRates() code of RariMerkleRedeemer contract:

    /// @param token The token that will be received when exchanging cTokens
    /// @param cTokens The supported cTokens; must be exactly 27 tokens
    /// @param rates The exchange rate for each cToken; must be exactly 27 rates
    /// @param roots The merkle root for each cToken; must be exactly 27 roots
    constructor(
        address token,
        address[] memory cTokens,
        uint256[] memory rates,
        bytes32[] memory roots
    ) {
        _configureExchangeRates(cTokens, rates);
        _configureMerkleRoots(cTokens, roots);
        _configureBaseToken(token);
    }

    // The exchange rates provided should represent how much of the base token will be given
    // in exchange for 1e18 cTokens. This increases precision.
    function _configureExchangeRates(address[] memory _cTokens, uint256[] memory _exchangeRates) internal {
        require(_cTokens.length == 27, "Must provide exactly 27 exchange rates.");
        require(_cTokens.length == _exchangeRates.length, "Exchange rates must be provided for each cToken");

        for (uint256 i = 0; i &lt; _cTokens.length; i++) {
            require(
                _exchangeRates[i] &gt; 1e10,
                "Exchange rate must be greater than 1e10. Did you forget to multiply by 1e18?"
            );
            cTokenExchangeRates[_cTokens[i]] = _exchangeRates[i];
        }
    }

As you can see there is no time lock mechanism to set these values and there is no check to make sure exchange rates aren’t set to the wrong high value. if these values are set by mistake as a very high number, an attacker can pay a small number of cToken and redeem all the baseToken balance of the contract.

Tools Used

VIM

Recommended Mitigation Steps

to prevent these, there should be some time lock mechanism or some checks that prevent wrong values.

The text was updated successfully, but these errors were encountered:

All reactions

JSON