0x52
high
The same swivel contract handles order for a large number of assets. Lender#lend for swivel fails to validate that the asset specified in the order is the same asset of market being called. An attacker could call lend on a DAI market but actually be swapping ETH or USDC. This would allow the attacker to steal all underlying in the Lender contract. Additionally this can be paired with my other submission on PT supply manipulation to rug an entire market.
function initiateZcTokenFillingVaultInitiate(Hash.Order calldata o, uint256 a, Sig.Components calldata c) internal {
bytes32 hash = validOrderHash(o, c);
require((a + filled[hash]) <= o.principal, 'taker amount > available volume');
filled[hash] += a;
Erc20 uToken = Erc20(o.underlying);
uint256 premiumFilled = (a * o.premium) / o.principal;
Safe.transferFrom(uToken, o.maker, msg.sender, premiumFilled);
uint256 fee = premiumFilled / feenominators[0];
Safe.transferFrom(uToken, msg.sender, address(this), (a + fee));
MarketPlace mPlace = MarketPlace(marketPlace);
require(CErc20(mPlace.cTokenAddress(o.underlying, o.maturity)).mint(a) == 0, 'minting CToken Failed');
require(mPlace.custodialInitiate(o.underlying, o.maturity, msg.sender, o.maker, a), 'custodial initiate failed');
emit Initiate(o.key, hash, o.maker, o.vault, o.exit, msg.sender, a, premiumFilled);
}
When completing swivel orders the underlying asset is specified in order.underlying. Lender#Lend for swivel doesn't validate the underlying being used by orders so an attacker could make an order on one token's marketplace but trade a different token. The attacker specifies which orders they are filling so they can create an order on Swivel in which they are buying the token for virtually nothing. This would allows them to effectively steal all the funds being traded. We can illustrate this with DAI and ETH, the attack would cost the attacker 1 DAI because lend would transfer 1 DAI from the attacker to lender contract. They would profit 1 ETH because they would specify ETH as the underlying in the order struct and fill a malicious order to steal it. This tactic could be used to steal all underlying in the Lender contract.
This can be combined with another high risk bug I submitted to completely rug a market, see the setup in my issue about inflating PT supply. The TL:DR of that is that by manipulating the supply of PT and abusing autoRedeem the attacker can move large amounts of underlying into the Lender contract. Combine this with the attack vector shown above, and the attacker could move a large amount of tokens into the lender contract then steal them all.
I have submitted this and the PT supply manipulation vulnerabilities as two separate, high risk issues, since both can individually be used to steal funds and both exploit different portions of the contract. Combined, however they lead to catastrophic loss of funds.
All underlying from any market can be stolen from the lender contract. Combined with the PT supply manipulation, it can be abused to rug an entire market.
Manual Review
Lender#lend for Swivel needs to validate that the underlying called in the order matches the underlying of the market.