Lines of code
<https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/fuse/RariMerkleRedeemer.sol#L122-L135>
Exchange rates are used to calculate baseToken amounts that are going to be transferred to the user, if exchange rates are set as a very high number by mistake, an attacker can withdraw baseToken balance of the contract. there should be some checks in the contract that prevent this type of mistake or there should be some time lock mechanism to set these values.
This constructor() and _configureExchangeRates() code of RariMerkleRedeemer contract:
/// @param token The token that will be received when exchanging cTokens
/// @param cTokens The supported cTokens; must be exactly 27 tokens
/// @param rates The exchange rate for each cToken; must be exactly 27 rates
/// @param roots The merkle root for each cToken; must be exactly 27 roots
constructor(
address token,
address[] memory cTokens,
uint256[] memory rates,
bytes32[] memory roots
) {
_configureExchangeRates(cTokens, rates);
_configureMerkleRoots(cTokens, roots);
_configureBaseToken(token);
}
// The exchange rates provided should represent how much of the base token will be given
// in exchange for 1e18 cTokens. This increases precision.
function _configureExchangeRates(address[] memory _cTokens, uint256[] memory _exchangeRates) internal {
require(_cTokens.length == 27, "Must provide exactly 27 exchange rates.");
require(_cTokens.length == _exchangeRates.length, "Exchange rates must be provided for each cToken");
for (uint256 i = 0; i < _cTokens.length; i++) {
require(
_exchangeRates[i] > 1e10,
"Exchange rate must be greater than 1e10. Did you forget to multiply by 1e18?"
);
cTokenExchangeRates[_cTokens[i]] = _exchangeRates[i];
}
}
As you can see there is no time lock mechanism to set these values and there is no check to make sure exchange rates arenβt set to the wrong high value. if these values are set by mistake as a very high number, an attacker can pay a small number of cToken and redeem all the baseToken balance of the contract.
VIM
to prevent these, there should be some time lock mechanism or some checks that prevent wrong values.
The text was updated successfully, but these errors were encountered:
All reactions