This repository has been archived by the owner on Jan 7, 2024. It is now read-only.
xiaoming90 - Users' funds could be stolen or locked by malicious or rouge owners #54
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Won't Fix
The sponsor confirmed this issue will not be fixed
xiaoming90
medium
Users' funds could be stolen or locked by malicious or rouge owners
Summary
Users' funds could be stolen or locked by malicious or rouge owners.
Vulnerability Detail
In the contest's README, the following was mentioned.
It was understood that the owner is not "trusted" and should not be able to steal funds. Thus, it is fair to assume that the sponsor is keen to know if there are vulnerabilities that could allow the owner to steal funds or, to a lesser extent, lock the user's funds.
Many control measures are implemented within the protocol to prevent the owner from stealing or locking the user's funds.
However, based on the review of the codebase, there are still some "loopholes" that the owner can exploit to steal funds or indirectly cause losses to the users. Following is a list of methods/tricks to do so.
Method 1 - Use the vulnerable
withdrawNative
functionOnce the user's order is fulfilled, the swapped ETH/WETH will be sent to the contract awaiting the user's claim. However, the owner can call the
withdrawNative
function, which will forward all the Native ETH and Wrapped ETH in the contract to the owner's address due to another bug ("Lack of segregation between users' assets and collected fees resulting in loss of funds for the users") that I highlighted in another of my report.Method 2 - Add a malicious custom price feed
https://github.com/sherlock-audit/2023-06-gfx/blob/main/uniswap-v3-limit-orders/src/LimitOrderRegistry.sol#L482
The owner can create a malicious price feed contract and configure the
LimitOrderRegistry
to use it by calling thesetFastGasFeed
function.https://github.com/sherlock-audit/2023-06-gfx/blob/main/uniswap-v3-limit-orders/src/LimitOrderRegistry.sol#L914
When fulfilling an order, the
getGasPrice()
function will fetch the gas price from the malicious price feed that will report an extremely high price (e.g., 100000 ETH), causing theestimatedFee
to be extremely high. When users attempt to claim the order, they will be forced to pay an outrageous fee, which the users cannot afford to do so. Thus, the users have to forfeit their orders, and they will lose their swapped tokens.Impact
Users' funds could be stolen or locked by malicious or rouge owners.
Code Snippet
https://github.com/sherlock-audit/2023-06-gfx/blob/main/uniswap-v3-limit-orders/src/LimitOrderRegistry.sol#L505
https://github.com/sherlock-audit/2023-06-gfx/blob/main/uniswap-v3-limit-orders/src/LimitOrderRegistry.sol#L482
Tool used
Manual Review
Recommendation
Consider implementing the following measures to reduce the risk of malicious/rouge owners from stealing or locking the user's funds.
withdrawNative
function. Refer to my recommendation in my report titled "Lack of segregation between users' assets and collected fees resulting in loss of funds for the users".MAX_GAS_PRICE
constant. If it is larger thanMAX_GAS_PRICE
constant, fallback to the user-defined gas feed, which is constrained to be less thanMAX_GAS_PRICE
.The text was updated successfully, but these errors were encountered: