Skip to content

Latest commit

 

History

History
62 lines (48 loc) · 2.46 KB

068.md

File metadata and controls

62 lines (48 loc) · 2.46 KB

Saeedalipoor01988

medium

malicious admin can steal user's funds by set fee to high value

Summary

According to teller contest details, all roles, including the admin, should not be able to steal funds. But the current implementation allows the admin/owner to update the protocol fee without any restriction, such as timelock. This leads to an attack vector in which a malicious admin can steal a user's funds.

Vulnerability Detail

The function TellerV2.sol#L173.initialize() is used to set some important values for the protocol. One of these values is _protocolFee, TellerV2.sol#L181. This value gets sent to the ProtocolFee.sol#L21.__ProtocolFee_init() function to update the _protocolFee value.

function initialize(
        uint16 _protocolFee,
        address _marketRegistry,
        address _reputationManager,
        address _lenderCommitmentForwarder,
        address _collateralManager,
        address _lenderManager
    ) external initializer {
        __ProtocolFee_init(_protocolFee);
    function __ProtocolFee_init(uint16 initFee) internal onlyInitializing {
        __Ownable_init();
        __ProtocolFee_init_unchained(initFee);
    }
    function setProtocolFee(uint16 newFee) public virtual onlyOwner {
        // Skip if the fee is the same
        if (newFee == _protocolFee) return;

        uint16 oldFee = _protocolFee;
        _protocolFee = newFee;
        emit ProtocolFeeSet(newFee, oldFee);
    }

But, the malicious admin can set a malicious value for fees like type(uint16).max and there is not any validation to check fee is between minimum and maximum values.

Another issue with

Impact

A malicious admin can steal a user's funds.

Code Snippet

https://github.com/sherlock-audit/2023-03-teller/blob/main/teller-protocol-v2/packages/contracts/contracts/TellerV2.sol#L181 https://github.com/sherlock-audit/2023-03-teller/blob/main/teller-protocol-v2/packages/contracts/contracts/ProtocolFee.sol#L23 https://github.com/sherlock-audit/2023-03-teller/blob/main/teller-protocol-v2/packages/contracts/contracts/ProtocolFee.sol#L48

Tool used

Manual Review sherlock-audit/2023-03-Y2K-judging#47

Recommendation

update of protocol fee should be restricted with a timelock so users have time to make the decision to withdraw their funds from protocol or not and define Min and Max values in the ProtocolFee.sol#L44.setProtocolFee function.

require(newFee > MinFee && newFee < MaxFee, "");