Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token approval (max) not revoked for old addresses #1189

Closed
code423n4 opened this issue Sep 4, 2023 · 7 comments
Closed

Token approval (max) not revoked for old addresses #1189

code423n4 opened this issue Sep 4, 2023 · 7 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-1662 low quality report This report is of especially low quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L339-L348
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVault.sol#L207

Vulnerability details

Impact

Old addresses keep approval after new addresses are set in setAddresses() function, which may lead to exploitation if old addresses are compromised.

Proof of Concept

  • RdpxV2Core: link
  • PerpetualAtlanticVault: link

The function allows the admin to set the new addresses for multiple contracts. However, the approval to spend weth for several old addresses are not revoked and remains at max for:

  • perpetualAtlanticVault
  • dopexAMMRouter
  • dpxEthCurvePool
  • rdpxV2ReceiptToken

In the event any of the old addresses are compromised this may lead to unwanted transfers of weth tokens.

Tools Used

Manual review

Recommended Mitigation Steps

Revoke the approval for old addresses before setting new ones. Suggestion to either set approval to 0 first for old addresses within the function:

RdpxV2Core.sol

 IERC20WithBurn(weth).approve(
            addresses.perpetualAtlanticVault,
            0
        );
        IERC20WithBurn(weth).approve(
            addresses.dopexAMMRouter,
            0
        );
        IERC20WithBurn(weth).approve(
            addresses.dpxEthCurvePool,
            0
        );
        IERC20WithBurn(weth).approve(
            addresses.rdpxV2ReceiptToken,
            0
        );

PerpetualVault.sol

    collateralToken.safeApprove(
      addresses.perpetualAtlanticVaultLP,0);
Or, to implement an internal function call to set approval to 0 for all old addresses, place before the setting of the new addresses in the setAddresses() function; repeat for PerpetualVault with just the required address.
function revokeOldAddressApprovals() internal {
    // set all old addresses to 0 approval of weth
    IERC20WithBurn(weth).approve(
            addresses.perpetualAtlanticVault, 0);
    IERC20WithBurn(weth).approve(
            addresses.dopexAMMRouter, 0);
    IERC20WithBurn(weth).approve(
            addresses.dpxEthCurvePool, 0);
    IERC20WithBurn(weth).approve(
            addresses.rdpxV2ReceiptToken, 0);
}

Assessed type

Other
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 4, 2023
code423n4 added a commit that referenced this issue Sep 4, 2023
@code423n4
COSMIC-BEE-REACH issue #1189
7ef1630
@c4-pre-sort
Copy link

bytes032 marked the issue as duplicate of #928

@c4-pre-sort c4-pre-sort reopened this Sep 11, 2023
@c4-pre-sort
Copy link

bytes032 marked the issue as not a duplicate

@c4-pre-sort c4-pre-sort added the low quality report This report is of especially low quality label Sep 11, 2023
@c4-pre-sort
Copy link

bytes032 marked the issue as low quality report

@c4-pre-sort
Copy link

bytes032 marked the issue as duplicate of #928

@c4-pre-sort c4-pre-sort reopened this Sep 11, 2023
@c4-pre-sort
Copy link

bytes032 marked the issue as not a duplicate

@c4-pre-sort
Copy link

bytes032 marked the issue as duplicate of #1662

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Oct 6, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Oct 6, 2023

GalloDaSballo marked the issue as unsatisfactory:
Out of scope

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-1662 low quality report This report is of especially low quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@code423n4 @c4-judge @c4-pre-sort