This repository has been archived by the owner on Sep 15, 2024. It is now read-only.
cergyk - BBLeverage::buyCollateral Malicious operator can abuse _allowedBorrow approval on Big bang market #31
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Disputed
The sponsor disputed this issue's validity
Will Fix
The sponsor confirmed this issue will be fixed
Comments
|
Medium; Pre-conditioned by the user making the exploit possible |
sherlock-admin2
added
Sponsor Disputed
github-actions
bot
added
Medium
nevillehuang
added
Has Duplicates
sherlock-admin3
changed the title
Evert0x
added
High
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
cergyk
high
BBLeverage::buyCollateral Malicious operator can abuse _allowedBorrow approval on Big bang market
Summary
buyCollateral enables a user to deleverage a borrow position on a BigBang market. However in the case an operator uses an user allowance to carry the operation on the user behalf, he can abuse the approval to make the user transfer an arbitrary amount (within the limits of a yieldbox approval to the market).
Vulnerability Detail
We can see that the
_allowedBorrowis checked at the end of buyCollateralHowever it fails to account that the operator controls slippage incurred here
And thus even though
_allowedBorrowis checked, an arbitrarily big amount can be pulled here provided the user has an unlimited approval of the yield box contract to the big bang market.It is worth to be noted that unlimited approvals are common among users wanting to save on gas.
It is also worth to be noted that the malicious operator has to be approved for some amount of borrow by the user because of this condition
Scenario
Alice has approved operator Bob for 1 wei of borrow on ETH BigBang market.
Bob can call
buyCollateralon behalf of Alice, specifying an arbitrarycalldata_.supplyAmountwhich will use Alice's unlimited approval of yieldBox usdo asset here, then swap it usinggetCollateraland ensure theamountOutto be 1 wei (can use a malicious token on the swap path).As a result all of the checks have passed, but Alice is drained of her usdo
Impact
allowedBorrow allowance can be abused by a malicious operator to steal tokens from users.
Code Snippet
Tool used
Manual Review
Recommendation
Add an additional check against an oracle to not incur excessive slippage in the
getCollateralswapAlternatively, consider to spend lending allowance when pulling usdo instead of spending borrow allowance when providing collateral
Duplicate of #140
The text was updated successfully, but these errors were encountered: