Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passing multiple ETH deposits in orders array will use the same msg.value many times #226

Open
code423n4 opened this issue Nov 17, 2021 · 2 comments
Open

Passing multiple ETH deposits in orders array will use the same msg.value many times #226

code423n4 opened this issue Nov 17, 2021 · 2 comments
Assignees
@maximebrugel
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)

Comments

@code423n4
Copy link
Contributor

Handle

hyh

Vulnerability details

Impact

Contract holdings can be emptied as malicious user will do deposit/withdraw to extract value. This is possible because after _transferInputTokens system uses contract balance for user's operations, assuming that equivalent value was transferred.

Proof of Concept

msg.value persist over calls, so passing 'Order[] calldata _orders' holding multiple ETH deposits will use the same msg.value in each of them, resulting in multiple deposits, that sums up to much bigger accounted value than actually deposited value, up to contract's ETH holdings.

create / addTokens -> _submitInOrders -> _transferInputTokens
https://github.com/code-423n4/2021-11-nested/blob/main/contracts/NestedFactory.sol#L103
https://github.com/code-423n4/2021-11-nested/blob/main/contracts/NestedFactory.sol#L119

sellTokensToWallet -> _submitOutOrders -> _transferInputTokens
https://github.com/code-423n4/2021-11-nested/blob/main/contracts/NestedFactory.sol#L172

sellTokensToNft -> _submitOutOrders -> _transferInputTokens
https://github.com/code-423n4/2021-11-nested/blob/main/contracts/NestedFactory.sol#L152

_transferInputTokens uses msg.value:
https://github.com/code-423n4/2021-11-nested/blob/main/contracts/NestedFactory.sol#L462

Recommended Mitigation Steps

Controlling ETH to be only once in orders will not help, as NestedFactory inherits from Multicall, which multicall(bytes[] calldata data) function allows same reusage of msg.value, which will persist over calls.

So, it is recommended to treat ETH exclusively, not allowing ETH operations to be batched at all.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Nov 17, 2021
code423n4 added a commit that referenced this issue Nov 17, 2021
@code423n4
hyh issue #226
5b24e23
This was referenced Nov 18, 2021
Closed
Closed
@adrien-supizet
Copy link
Collaborator

Multicall is not currently used, and the funds exposed would be the NestedFactory's which should hold no funds.

To avoid future bugs, we're going to remove the multicall library, but we don't think this is a high severity issue.

@maximebrugel maximebrugel added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Nov 22, 2021
@maximebrugel maximebrugel mentioned this issue Nov 23, 2021
Open
@alcueca
Copy link
Collaborator

alcueca commented Dec 3, 2021

Downgrading severity to 2 because the NestedFactory is not expected to hold funds, and therefore there is no risk of a loss. You can't deposit the same Ether twice in the WETH contract.

Also keeping this as the main over #13.

@alcueca alcueca added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Dec 3, 2021
@maximebrugel maximebrugel self-assigned this Dec 14, 2021
@maximebrugel maximebrugel mentioned this issue Dec 14, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maximebrugel maximebrugel

Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@maximebrugel @adrien-supizet @alcueca @code423n4