HolographOperator admin can steal utility tokens #145
Labels
bug
Something isn't working
edited-by-warden
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/HolographOperator.sol#L1049-L1053
Vulnerability details
Impact
The admin account controlling the HolographOperator can steal arbitrary amounts of utility tokens from bonded operators. This is enabled by a feature that lets the admin change the oracle mid-operation.
Proof of Concept
Here is a sequence of steps the admin can perform to steal the tokens. Notice that all steps can be done in one transaction.
Foundry test
A passing test means the exploit was successful.
test/foundry/HolographOperator.t.sol
:foundry.toml
remappings.txt
Tools Used
VSCode, Foundry
Recommended Mitigation Steps
Reconsider the design choices of the HolographOperator that enable this vulnerability.
Is it necessary for the admin to change the utility token mid-operation?
If not, consider removing the capability.
If necessary, ensure that the internal accounting for the different tokens is separated.
Ensure operators can still withdraw previous balances obtained from all former utility tokens.
The text was updated successfully, but these errors were encountered: