H-01 MitigationConfirmed

[c4-bot-7]

Lines of code

Vulnerability details

C4 issue

H-01: V3Vault.sol permit signature does not check receiving token address is USDC

Comment

The issues comes from the fact that whenever permit2.permitTransferFrom is used in V3Vault,
the original code doesn't check if the input token in permit is the same with the vault's asset token:

if (permitData.length > 0) {
                (ISignatureTransfer.PermitTransferFrom memory permit, bytes memory signature) =
                    abi.decode(permitData, (ISignatureTransfer.PermitTransferFrom, bytes));
                permit2.permitTransferFrom(
                    permit, ISignatureTransfer.SignatureTransferDetails(address(this), assets), msg.sender, signature
                );
            }

This allows the attacker to input any ERC20 token and proceed without actually transferring asset tokens
to the vault.

Mitigation

PR #19
The code now checks if input token is the same with asset token every time permit2.permitTransferFrom is used:

if (permitData.length != 0) {
                (ISignatureTransfer.PermitTransferFrom memory permit, bytes memory signature) =
                    abi.decode(permitData, (ISignatureTransfer.PermitTransferFrom, bytes));

                if (permit.permitted.token != asset) {
                    revert InvalidToken();
                }

                permit2.permitTransferFrom(
                    permit, ISignatureTransfer.SignatureTransferDetails(address(this), assets), msg.sender, signature
                );
            }

The mitigation resolved the original issue.

Conclusion

LGTM

[c4-judge]

jhsagd76 marked the issue as satisfactory