Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zap contract's mint() allows minting ibbtc tokens for free #1

Open
code423n4 opened this issue Nov 14, 2021 · 4 comments
Open

Zap contract's mint() allows minting ibbtc tokens for free #1

code423n4 opened this issue Nov 14, 2021 · 4 comments
Labels
1 (Low Risk) bug Something isn't working disagree with severity sponsor disputed

Comments

@code423n4
Copy link
Contributor

Handle

Ruhum

Vulnerability details

Impact

The user can call the mint() function with any contract address that implements the safeTransferFrom() function. Thus, they can mint as many ibbtc tokens for free as they want.

Proof of Concept

https://github.com/Badger-Finance/ibbtc/blob/d8b95e8d145eb196ba20033267a9ba43a17be02c/contracts/Zap.sol#L100

Technically, they can deploy a contract that has a safeTransferFrom() function that simply returns true. They then call the mint() function and pass the contract address and an arbitrary value for the amount parameter. The mint() function will then go ahead and mint them the passed amount of ibbtc tokens without receiving anything in return.

There are no checks that verify that the passed token address is either the wBTC or renBTC token.

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add the following check to the beginning of the function:

require(token == address(ren) || token == address(wbtc);
@code423n4 code423n4 added bug Something isn't working 3 (High Risk) labels Nov 14, 2021
code423n4 added a commit that referenced this issue Nov 14, 2021
@code423n4
Ruhum issue #1
23dda41
@tabshaikh
Copy link
Collaborator

We should totally add the require(token == address(ren) || token == address(wbtc); as a best practice. Disagree on the risk as users would not be able to mint ibbtc for free as firstly the contract is to hold no token and this will revert https://github.com/Badger-Finance/ibbtc/blob/d8b95e8d145eb196ba20033267a9ba43a17be02c/contracts/Zap.sol#L129 if ren/ wbtc amount is not present

tabshaikh added a commit to Badger-Finance/ibbtc that referenced this issue Nov 14, 2021
@tabshaikh
fix: code-423n4/2021-11-badgerzaps-findings#1
e2b4b17
@GalloDaSballo
Copy link
Collaborator

Disagree with the finding, the finding claims that a user would be able to mint ibBTC with any token, this is not correct.

Using any token beside the supported ones, would cause a revert when adding liquidity to the pool or when we deposit in the yearn vault.

See code for revert:
https://github.com/Badger-Finance/ibbtc/blob/d8b95e8d145eb196ba20033267a9ba43a17be02c/contracts/Zap.sol#L104
https://github.com/Badger-Finance/ibbtc/blob/d8b95e8d145eb196ba20033267a9ba43a17be02c/contracts/Zap.sol#L108

@GalloDaSballo GalloDaSballo added invalid This doesn't seem right and removed sponsor risk - 1 (low risk) labels Nov 17, 2021
@CloudEllie CloudEllie added sponsor disputed and removed invalid This doesn't seem right labels Nov 17, 2021
@0xleastwood
Copy link
Collaborator

agree with sponsor, user's tx will revert if _addLiquidity or deposit is called. The two functions will attempt to pull the correct amount of funds from Zap.sol which would be 0 as in the warden's suggested attack vector.

@0xleastwood
Copy link
Collaborator

Will keep as low risk as it is useful to check token is either address(ren) or address(wbtc).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 (Low Risk) bug Something isn't working disagree with severity sponsor disputed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@GalloDaSballo @tabshaikh @0xleastwood @code423n4 @CloudEllie