Skip to content
This repository has been archived by the owner on Sep 15, 2024. It is now read-only.

0xadrii - DoS in BBLeverage and SGLLeverage due to using wrong leverage executor interface #115

Open
sherlock-admin4 opened this issue Mar 15, 2024 · 2 comments
Open

0xadrii - DoS in BBLeverage and SGLLeverage due to using wrong leverage executor interface #115

sherlock-admin4 opened this issue Mar 15, 2024 · 2 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Mar 15, 2024
edited by sherlock-admin3
Loading

0xadrii

high

DoS in BBLeverage and SGLLeverage due to using wrong leverage executor interface

Summary

A DoS takes place due to utilizing a wrong interface in the leverage modules.

Vulnerability Detail

BBLeverage.sol and SGLLeverage.sol use a wrong interface to interact with the leverageExecutor contract. This will make the sellCollateral() and buyCollateral() functions always fail and render the BBLeverage.sol and SGLLeverage.sol unusable.

As we can see in the following snippets, when these contracts interact with the leverageExecutor to call its getAsset() and getCollateral() functions, they do it passing 6 parameters in each of the functions:

// BBLeverage.sol

function buyCollateral(address from, uint256 borrowAmount, uint256 supplyAmount, bytes calldata data) 
        external
        optionNotPaused(PauseType.LeverageBuy)
        solvent(from, false)
        notSelf(from)  
        returns (uint256 amountOut) 
    { 
        ...

        
        { 
            amountOut = leverageExecutor.getCollateral( 
                collateralId, 
                address(asset),
                address(collateral),
                memoryData.supplyShareToAmount + memoryData.borrowShareToAmount,
                calldata_.from,
                calldata_.data
            );
        }
        ...
    }
    
    function sellCollateral(address from, uint256 share, bytes calldata data)
        external
        optionNotPaused(PauseType.LeverageSell)
        solvent(from, false)
        notSelf(from)
        returns (uint256 amountOut)
    {
       ...

        amountOut = leverageExecutor.getAsset(
            assetId, address(collateral), address(asset), memoryData.leverageAmount, from, data
        ); 

        ...
    }

However, the leverage executor’s getAsset() and getCollateral() functions have just 4 parameters, as seen in the BaseLeverageExecutor.sol base contract used to build all leverage executors:

// BaseLeverageExecutor.sol

/**
     * @notice Buys an asked amount of collateral with an asset using the ZeroXSwapper.
     * @dev Expects the token to be already transferred to this contract.
     * @param assetAddress asset address.
     * @param collateralAddress collateral address.
     * @param assetAmountIn amount to swap.
     * @param data SLeverageSwapData.
     */
    function getCollateral(address assetAddress, address collateralAddress, uint256 assetAmountIn, bytes calldata data)
        external
        payable
        virtual
        returns (uint256 collateralAmountOut)
    {}

    /**
     * @notice Buys an asked amount of asset with a collateral using the ZeroXSwapper.
     * @dev Expects the token to be already transferred to this contract.
     * @param collateralAddress collateral address.
     * @param assetAddress asset address.
     * @param collateralAmountIn amount to swap.
     * @param data SLeverageSwapData.
     */
    function getAsset(address collateralAddress, address assetAddress, uint256 collateralAmountIn, bytes calldata data)
        external
        virtual
        returns (uint256 assetAmountOut)
    {}

Impact

High. Calls to the leverage modules will always fail, rendering these features unusable.

Code Snippet

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLeverage.sol#L93

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLeverage.sol#L144

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLeverage.sol#L77

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLeverage.sol#L129

Tool used

Manual Review

Recommendation

Update the interface used in BBLeverage.sol and SGLLeverage.sol and pass the proper parameters so that calls can succeed.
@github-actions github-actions bot added Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Mar 20, 2024
This was referenced Mar 20, 2024
Closed
Closed
Closed
@sherlock-admin4
Copy link
Contributor Author

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

refer to comments on #44

@sherlock-admin2 sherlock-admin2 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Mar 21, 2024
@sherlock-admin4
Copy link
Contributor Author

The protocol team fixed this issue in PR/commit https://github.com/Tapioca-DAO/Tapioca-bar/pull/362; Tapioca-DAO/tapioca-periph#201.

@sherlock-admin3 sherlock-admin3 changed the title Skinny Wool Mallard - DoS in BBLeverage and SGLLeverage due to using wrong leverage executor interface 0xadrii - DoS in BBLeverage and SGLLeverage due to using wrong leverage executor interface Mar 31, 2024
@sherlock-admin3 sherlock-admin3 added the Reward A payout will be made for this issue label Mar 31, 2024
@CergyK CergyK mentioned this issue Apr 2, 2024
Closed
@Evert0x Evert0x added High A valid High severity issue and removed Medium A valid Medium severity issue labels Apr 10, 2024
@Evert0x Evert0x closed this as completed Apr 10, 2024
@Evert0x Evert0x reopened this Apr 10, 2024
@Evert0x Evert0x added Medium A valid Medium severity issue and removed High A valid High severity issue labels Apr 10, 2024
@0xRektora 0xRektora mentioned this issue Apr 12, 2024
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Evert0x @sherlock-admin2 @sherlock-admin3 @sherlock-admin4