-
Notifications
You must be signed in to change notification settings - Fork 2
toshii - Malicious users can steal excess ETH in the UniswapExtension and TxBuilderExtension contracts #198
Comments
Sponsor confirmed. Valid medium. Will be adding more duplicates previously in excluded |
I correct my decision. As spoken with sponsor, the contract does not handle eth itself, therefore the only way this would make sense is if a user sense eth to the contract by error, which sherlock does not consider a medium. Low |
Escalate for 10 USD Therefore, this is a valid Medium as per the definition: "causes a loss of funds but requires certain external conditions or specific states". Firstly, it's clear that this is a valid attack path which will result in stolen funds. Secondly, there are numerous paths in which users taking normal actions as defined by the contract will result in ETH being stuck in this contract. |
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Agree with the comment made by 0xToshii, adding the escalation I opened on issue #145 to complement what 0xToshii said. |
Agree with escalation. As stated issue #361 is a way for eth to get stuck in the contract, which makes this attack path valid. This issue should be a medium |
fix: ibdotxyz/ib-v2#53 and ibdotxyz/ib-v2#63 |
Result: |
Escalations have been resolved successfully! Escalation status:
|
toshii
medium
Malicious users can steal excess ETH in the UniswapExtension and TxBuilderExtension contracts
Summary
A malicious user can steal any excess ETH which is stored in the UniswapExtension and TxBuilderExtension contracts due to
msg.value
not being cached.Vulnerability Detail
Due to incorrect user behavior, there can be excess ETH contained within the UniswapExtension and TxBuilderExtension contracts. For example, a user might accidentally send ETH directly to the contract, which will not revert given the
receive
function. There is aseizeNative
function which is intended to be called to rescue user funds when this happens. The issue is that a malicious user is able to steal any excess ETH in the contract prior to the admin being able to rescue these funds.This is because (using the TxBuilderExtension as the example) the
execute
, and subsequently theexecuteInternal
function accepts an array of actions to take. One potential action that can be taken isACTION_SUPPLY_NATIVE_TOKEN
, which will trigger a call tosupplyNativeToken
. In thesupplyNativeToken
function, they supply the user an amount equal tomsg.value
:This is an issue because a malicious user can take the following step to steal excess ETH in the contract (assume there is 1 ETH in the contract):
execute
with an array of actions which will triggerACTION_SUPPLY_NATIVE_TOKEN
twice with 1 ETH as the valueIn the first call, it will correctly use the ETH provided by the malicious user. However, on the second call it will use the 1 ETH which is trapped in the contract. Thus, the malicious user is able to steal the ETH.
Impact
A malicious user is able to steal any excess ETH from the UniswapExtension and TxBuilderExtension contracts prior to any admin being able to rescue the funds
Code Snippet
Referenced lines of code:
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/extensions/TxBuilderExtension.sol#L252-L256
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/extensions/UniswapExtension.sol#L460-L464
Tool used
Manual Review
Recommendation
The
msg.value
value should be cached at the start of theexecuteInternal
function call, and should be passed to all relevant functions, rather than those functions usingmsg.value
directly.The text was updated successfully, but these errors were encountered: