Skip to content

Latest commit

 

History

History
40 lines (23 loc) · 2.52 KB

096.md

File metadata and controls

40 lines (23 loc) · 2.52 KB

chaduke

high

A malicious forwarder might abuse a sender's approval for a specific market A in a differt market B.

Summary

A malicious forwarder might abuse a sender's approval for a specific market A in another different market B. The main problem is that _approvedForwarderSenders[_forwarder] does not keep track of which market the approval is for.

For the same reason, function hasApprovedMarketForwarder() might return wrong result.

Vulnerability Detail

We show how a malicious forwarder F might abuse a sender X's approval for a specific market A in another different market B, which is a serious security problem since X has never approved F for market B.

  1. Suppose F is a trusted market forwarder for both markets A and B;
  2. X calls approveMarketForwarder(A, F) to authorize F as X's forwarder for market A. Now _approvedForwarderSenders[F] will contain X;
  3. F can abuse the approval from X and can serve as X's forwarder for market B as well although X has never authorized this. This is possible because _approvedForwarderSenders[_forwarder] does not keep track of which market the approval is for.
  4. To see this, consider that F calls _msgSenderForMarket(B) to retrieve the function caller address by checking the appended sender address at the end of calldata. All the checks will pass since _approvedForwarderSenders[B, F] is true and _approvedForwarderSenders[F].contains(X) is also true. This means X will be considered as the sender for market B if X is appended to the calldata!
  5. Such abuse might lead to unauthorized function calls and loss of funds, for example, the forwarder might loan on behalf of X from another market that X has never authorized.

Impact

A malicious forwarder might abuse a sender's approval for a specific market A in a different market B. Such abuse might lead to unauthorized function calls and loss of funds.

The function hasApprovedMarketForwarder() might return wrong result. For example, X approves F on market A, and F is a forwarder for both markets A and B, then this function will wrongly return the result that X also approves F for market B, which is not true.

Code Snippet

See above

Tool used

VSCode

Manual Review

Recommendation

_approvedForwarderSenders[_forwarder] should be extended to include _marketId so that the approval for one market cannot be used for another market.