Skip to content
This repository has been archived by the owner on Dec 17, 2023. It is now read-only.

qbs - User can steal ETH that is stuck in contract which should be retrieved by the owner #284

Closed
sherlock-admin opened this issue Jun 11, 2023 · 0 comments
Closed

qbs - User can steal ETH that is stuck in contract which should be retrieved by the owner #284

sherlock-admin opened this issue Jun 11, 2023 · 0 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jun 11, 2023
edited by 0xffff11
Loading

qbs

medium

User can steal ETH that is stuck in contract which should be retrieved by the owner

Summary

The TxBuilderExtension contract allows an attacker to abuse the execute function to steal the Ether that is stuck within the contract.

Vulnerability Detail

The execute function in the TxBuilderExtension contract is a publicly accessible function that allows external callers to execute a series of actions. It takes an array of Action as input and invokes the internal executeInternal function.
The executeInternal function handles the execution of individual actions within the execute function. It iterates over the array of Action structures and performs different actions based on the name field of each Action.

However, let's assume that there is 1 ETH in the TxBuilderExtension contract.

  1. Attacker calls TxBuilderExtension.execute with two calls to supplyNativeToken and send along 1 ETH.
  2. Since there is 1 additional ETH in the contract, both calls succeed, leaving 0 ETH in the contract. Thereby the attacker has stolen the 1 ETH which only the owner should be able to rescue.

Stucked ETH can also be used for repaying position, using repayNativeToken.

Note: The same issue applies to similar functionality in the UniswapExtension contract.

Impact

Attacker can steal the ETH from the TxBuilderExtension contract that should only be accessible for the owner of the contract.

Code Snippet

https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/extensions/TxBuilderExtension.sol#L100-L102
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/extensions/TxBuilderExtension.sol#L141-L197
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/extensions/TxBuilderExtension.sol#L252-L256
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/extensions/TxBuilderExtension.sol#L290-L306

Tool used

Manual Review

Recommendation

Introduce additional accounting mechanisms to ensure that only the appropriate msg.value is spent.

Duplicate of #198
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jun 19, 2023
@0xffff11 0xffff11 added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Jun 22, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jun 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @0xffff11