Dandy Caramel Tortoise
Medium
Marketforwarder is shared across all markets for a user instead of just the intended market
The approveMarketForwarder is supposed to approve a forwarder contract for a specific market.
* @notice Approves a forwarder contract to use their address as a sender for a specific market.
* @notice The forwarder given must be trusted by the market given.
* @param _marketId An ID for a lending market.
* @param _forwarder A forwarder contract address.
*/
function approveMarketForwarder(uint256 _marketId, address _forwarder)
external
{
require(
isTrustedMarketForwarder(_marketId, _forwarder),
"Forwarder must be trusted by the market"
);
_approvedForwarderSenders[_forwarder].add(_msgSender());
emit MarketForwarderApproved(_marketId, _forwarder, _msgSender());But this is not followed. If a user approves a forwarder for one market, that forwarder can spoof the user for any other market in which they are considered trusted
function _msgSenderForMarket(uint256 _marketId)
internal
view
virtual
returns (address)
{
if (
msg.data.length >= 20 &&
isTrustedMarketForwarder(_marketId, _msgSender())
) {
address sender;
assembly {
sender := shr(96, calldataload(sub(calldatasize(), 20)))
}
// Ensure the appended sender address approved the forwarder
// @audit no market wise seperation
require(
=> _approvedForwarderSenders[_msgSender()].contains(sender),
"Sender must approve market forwarder"
);No response
No response
- User approves A as a trusted forwarder for MA
- A is also made the trusted forwarder of MB and MC by the respective owners
- A can now spoof the user for MB and MC also which they have not intended
The trusted forwarder for a market can spoof the user across all markets. This can result in bids and lendings for terms that the user doesn't align with
No response
Seperate forwarders marketwise