Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0x46 - Untrusted token burn vulnerability in burnStableTokens() #77

Open
sherlock-admin3 opened this issue Oct 31, 2024 · 0 comments
Open

Comments

@sherlock-admin3
Copy link

sherlock-admin3 commented Oct 31, 2024

0x46

High

Untrusted token burn vulnerability in burnStableTokens()

Summary

The burnStableTokens function is susceptible to attacks when dealing with untrusted or malicious tokens. Specifically, the function’s reliance on safeTransferFrom and safeBurn allows a malicious token contract to exploit these methods, potentially causing reentrancy attacks or enabling fake burn behaviors. These issues arise because of the lack of validation for the token address, allowing any token contract with a compatible interface to interact with burnStableTokens without restriction.
https://github.com/sherlock-audit/2024-10-mento-update/blob/main/mento-core/contracts/swap/Broker.sol#L187-L191

Root Cause

The lack of validation or control over the token parameter.

  1. Reentrancy Vulnerability: safeTransferFrom or safeBurn could call back into Broker due to custom logic in the token contract, causing reentrancy issues.
  2. Fake Burn Behavior: Malicious tokens may implement a burn function that does not correctly reduce the token balance, allowing repeated and unintended calls to burnStableTokens.
  3. Unintended Transfer Logic: Custom or manipulated safeTransferFrom and safeBurn functions could lead to unverified token transfers, draining funds from either the contract or the user.

Internal pre-conditions

  1. msg.sender must call burnStableTokens with a valid token and amount parameter.
  2. The ERC-20 token contract for token must implement safeTransferFrom and burn (either directly or via safeBurn), but the contract does not verify whether these methods are standard or have safe behaviors.

External pre-conditions

  1. The token contract may have custom implementations for safeTransferFrom and safeBurn, which can include:
  • Callback functions that invoke reentrancy paths.
  • Non-standard behaviors that don’t deduct tokens as expected.
  1. The user’s wallet has sufficient balance and approval set up for the contract to execute safeTransferFrom.

Attack Path

Reentrancy Attack

A malicious token contract overrides safeTransferFrom or safeBurn with a callback function that re-enters Broker, potentially leading to unexpected behaviors, state manipulation, or draining of funds.

Fake Burn Behavior

A malicious token contract implements a burn function that doesn’t actually reduce the contract’s token balance, allowing the attacker to call burnStableTokens multiple times without ever reducing the total token balance, thereby allowing a “free burn” for fake tokens.

Unexpected Fund Transfers

By overriding safeTransferFrom, a malicious token could transfer funds unexpectedly (e.g., from other addresses), potentially draining user accounts or creating imbalances.

Impact

No response

PoC

No response

Mitigation

Implement checks to verify successful balance reductions after a burn, ensuring the contract’s balance is reduced as expected.
Use standard libraries like OpenZeppelin's SafeERC20 to wrap ERC-20 calls, which includes additional checks and ensures safe execution.
Add a nonReentrant modifier to burnStableTokens to prevent reentrancy attacks.

@sherlock-admin3 sherlock-admin3 changed the title Calm Sandstone Shell - Untrusted token burn vulnerability in burnStableTokens() 0x46 - Untrusted token burn vulnerability in burnStableTokens() Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant