Raspy Paisley Reindeer
High
The Abond_Token::transferFrom updates the state of msg.sender from the state of address from (arbitrary supplied address). A malicious user can exploit this to change his state and cause business logic error.
FUNCTION
userStates[msg.sender] = fromState;The state of the address from is fetched using State memory fromState = userStates[from];, and then the state of msg.sender is updated with userStates[msg.sender] = fromState;, even though these two addresses may be different.
function transferFrom(
address from,
address to,
uint256 value
) public override returns (bool) {
// check the input params are non zero
require(from != address(0) && to != address(0), "Invalid User");
// get the sender and receiver state
State memory fromState = userStates[from];
State memory toState = userStates[to];
// update receiver state
toState = Colors._credit(fromState, toState, uint128(value));
userStates[to] = toState;
// update sender state
fromState = Colors._debit(fromState, uint128(value));
userStates[msg.sender] = fromState;
// transfer abond
super.transferFrom(from, to, value);
return true;
}These values are directly affected by this misconfiguration.
struct State {
uint256 cumulativeRate;
uint128 ethBacked;
uint128 aBondBalance;
}User needs to approve the attacker with a small allowance, as the vulnerable function in question is transferFrom.
No response
- USER-A approves USER-B with a small amount of allowance
- USER-B calls
Abond_Token::transferFromand uses address ofUSER-Ain from field to transfer the approved funds. The fromState holds the values forUSER-A
fromState = Colors._debit(fromState, uint128(value));- After the debit ,the value of
fromStatewill be assigned tomsg.sender
userStates[msg.sender] = fromState;theft of funds
No response
change userStates[msg.sender] = fromState; to userStates[from] = fromState;