Skip to content

Latest commit

 

History

History
38 lines (22 loc) · 2.66 KB

061.md

File metadata and controls

38 lines (22 loc) · 2.66 KB
Raw

Future Honeysuckle Cuckoo

Medium

AmirX.sol - stuck funds can be stolen via arbitrary trades, instead of being rescued by the SUPPORT

Summary

The AmirX.sol contract executes all stablecoin, defi and their mixed trades, handling the buy backs and fee distributions resulting from those trades. The contract introduces a SUPPORT role meant to be able to rescue mistakenly sent funds or funds which ended up as stuck as dust, as a result of some arbitrary swap aggregator logic. However, due to a few lacking input validations for the user provided swap structs, anyone would be able to steal those stuck funds.

Root Cause

The core issue is the fact that the addresses provided with the swap parameters are not sanitized from any values, other than the address(0) check inside nonZero modifier: https://github.com/sherlock-audit/2024-11-telcoin/blob/main/telcoin-audit/contracts/stablecoin/StablecoinHandler.sol#L103-L110

This, combined with the ways that allowances work, could allow any swapper to provide the address of the AmirX contract as a wallet and take out the funds and send them to themselves, stealing any residual funds inside the contract.

Attack Path

  1. Due to trades, some accidental fund sends, etc, the AmirX contract has accumulated some X funds of a token
  2. Bob notices this and executes a plain stablecoinSwap with parameters: wallet = address(AmirX), oAmount = X, liquiditySafe = destination = address(Bob). He would also need to grant the contract allowance, as it will try to take the funds out of his fake safe, which is his own address
  3. He executes the swap and depending on the token it will either: get burned from the contract and minted to him OR get transferred out of the contract and to himself (twice, which is irrelevant). The transfer would work since the wallet will be the AmirX contract, thus transferFrom would not need an allowance, the contract is transferring those funds out of itself.

This is one of the ways the arbitrary parameters can be used to manipulate the residual funds, the other one is to set a tAmount that accounts for the stuck funds and set liquiditySafe = AmirX. This way the line: https://github.com/sherlock-audit/2024-11-telcoin/blob/main/telcoin-audit/contracts/stablecoin/StablecoinHandler.sol#L175-L178 would send the dust to the attacker.

Impact

Users are able to steal and execute stablecoin swaps with stuck funds, meant to be rescued and saved.

PoC

No response

Mitigation

Sanitize the addresses provided as part of the swap params, such as that the wallet and liquiditySafe cannot be equal to the AmirX contract address and other critical addresses that could hold funds.