Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-06-LLAMA-FINDINGS-ISSUES-296
HistoryJun 14, 2023 - 12:00 a.m.

NATIVE TOKENS COULD GET STUCK INSIDE THE LlamaCore CONTRACT SINCE THERE IS NO WITHDRAWAL MECHANISM

2023-06-1400:00:00
Code4rena
github.com
3
vulnerability
impact
proof of concept
mitigation
llamacore
llamaexecutor
eth-transfer
JSON

Lines of code
<https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L333-L334&gt;
<https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaExecutor.sol#L29-L35&gt;

Vulnerability details

Impact

The LlamaCore contract has a single payable function LlamaCore.executeAction(). It is used to execute actions by calling the executor.execute() function. But the native token recieved by this contract is passed on to the executor.execute() function call.

Only the numerical value of the msg.value is passed on to the executor.execute() function via the actionInfo.value parameter. (And add to that the executor.execute() is not a payable function as well to accept any native tokens sent to it).

And there is no withdrawal function in the LlamaCore contract to withdraw the native tokens sent to the contract via the LlamaCore.executeAction() payable function.

Hence the msg.value sent to the LlamaCore.executeAction() can get stuck in the LlamaCore contract since that amount of native token is niether passed onto another external function or nor is there any withdrawal function implemented to withdraw that amount in the LlamaCore contract.

Proof of Concept

  function executeAction(ActionInfo calldata actionInfo) external payable {

<https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L317&gt;

    (bool success, bytes memory result) =
      executor.execute(actionInfo.target, actionInfo.value, action.isScript, actionInfo.data);

<https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaCore.sol#L333-L334&gt;

  function execute(address target, uint256 value, bool isScript, bytes calldata data)
    external
    returns (bool success, bytes memory result)
  {
    if (msg.sender != LLAMA_CORE) revert OnlyLlamaCore();
    (success, result) = isScript ? target.delegatecall(data) : target.call{value: value}(data);
  }

<https://github.com/code-423n4/2023-06-llama/blob/main/src/LlamaExecutor.sol#L29-L35&gt;

Tools Used

Manual Review and VSCode

Recommended Mitigation Steps

It is recommended to add a withdrawal function if the sent in native tokens are to be stored in the LlamaCore function, so that they can be withdrawn later. Else if it is to be transferred to the LlamaExecutor contract then the LlamaExecutor.execute() function should be made payable and the native tokens should be trnasferred to the execute() function, through the LlamaCore.executeAction() function execution.

Assessed type

ETH-Transfer

The text was updated successfully, but these errors were encountered:

All reactions

JSON