Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Approved lenders and borrowers can allow and block any arbitrary address #157

Open
code423n4 opened this issue Aug 17, 2022 · 3 comments
Open

Approved lenders and borrowers can allow and block any arbitrary address #157

code423n4 opened this issue Aug 17, 2022 · 3 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPair.sol#L288-L296
https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPair.sol#L307-L315

Vulnerability details

Impact

Whitelisted addresses are able to deploy customized pairs. One of the customizations is the enforcement of a lender and borrower allowlist and blocklist by providing an array of approved borrowers _approvedBorrowers and/or an array of the approved lenders _approvedLenders.

Lender and borrowers can be approved/blocked by invoking the functions FraxlendPair.setApprovedLenders or FraxlendPair.setApprovedBorrowers. Only approved lenders, as well as approved borrowers, are able to call those functions.

However, an approved lender is able to approve and block any other arbitrary address. Same for borrowers. If any of the approved lenders or borrowers turn dishonest and malicious, this single actor is able to front-run and block all other addresses and prevent them from using the deployed pair.

Blocked lenders are not able to use the following functions:

  • FraxlendPairCore.deposit
  • FraxlendPairCore.mint
  • FraxlendPairCore.liquidate
  • FraxlendPairCore.liquidateClean

Blocked borrowers are not able to use the following functions:

  • FraxlendPairCore.borrowAsset
  • FraxlendPairCore.leveragedPosition

Proof of Concept

FraxlendPair.sol#L288-L296

function setApprovedLenders(address[] calldata _lenders, bool _approval) external approvedLender(msg.sender) {
    for (uint256 i = 0; i < _lenders.length; i++) {
        // Do not set when _approval == false and _lender == msg.sender
        if (_approval || _lenders[i] != msg.sender) {
            approvedLenders[_lenders[i]] = _approval;
            emit SetApprovedLender(_lenders[i], _approval);
        }
    }
}

FraxlendPair.sol#L307-L315

function setApprovedBorrowers(address[] calldata _borrowers, bool _approval) external approvedBorrower {
    for (uint256 i = 0; i < _borrowers.length; i++) {
        // Do not set when _approval == false and _borrower == msg.sender
        if (_approval || _borrowers[i] != msg.sender) {
            approvedBorrowers[_borrowers[i]] = _approval;
            emit SetApprovedBorrower(_borrowers[i], _approval);
        }
    }
}

Tools Used

Manual review

Recommended mitigation steps

Consider allowing only the owner of the deployed pair to allow/block addresses. Otherwise, the list of approved lenders/borrowers can grow very fast and the chance of having a bad actor as one of the approved addresses, is very high. It only takes a single bad actor to denial-of-service the deployed pair.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Aug 17, 2022
code423n4 added a commit that referenced this issue Aug 17, 2022
@code423n4
berndartmueller issue #157
4ff7961
@0xA5DF
Copy link

0xA5DF commented Aug 17, 2022

Duplicate of #135

This was referenced Aug 29, 2022
Closed
Closed
Closed
Closed
Open
Open
Closed
Closed
Closed
Open
Open
@DrakeEvans
Copy link
Collaborator

This is the intended design, approvedBorrower and approvedLenders are meant to represent a single entity. Like a single DAO, the ability to have multiple addresses is a convenience but ultimately the responsibility of each side of the contract lies with the borrower or lender.

@DrakeEvans DrakeEvans added sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) labels Sep 6, 2022
@gititGoro
Copy link
Collaborator

Both the sponsor and the wardens have solid arguments to make in support of this issue being either valid or invalid.
On the one hand, this feature is by design as the sponsor has pointed out and is not in practice open to abuse. For this reason, it could be considered invalid. However, the wardens are not wrong to point out that giving peer contracts co-admin rights presents a horizontal risk.

Ultimately the risk is largely mitigated by the fact that the entrance into becoming an approved entity is via the initial whitelist. As long as the deployer has tight control over the initial whitelist, this should be the case.

Nonetheless, the horizontal risk is amplified with every newly approved lender/borrower. It only takes one mistake to destroy the whole system. So it would be best practice to employ a hierarchy of admin granting such as owner->approved whitelisting.

This issue and all the duplicates will be converted to QA and linked to existing QA issues submitted by these wardens.

TL;DR It is not good practice to allow for horizontal admin granting but it suits the need of the Frax DAO and the sponsor has intentionally chosen this design. The feature will be treated as a security smell

@gititGoro gititGoro added downgraded by judge QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Sep 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gititGoro @DrakeEvans @code423n4 @0xA5DF