-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Obsidian - Malicious pool deployer can set a malicious interest rate contract to lock funds of vault depositors #233
Comments
Invalid, require malicious admin
|
Escalate Per the contest's
This statement makes this issue valid. |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
IMO, the issue is invalid due to this statement of the sponsor.
It is, absolutely, irrational for a deployer to set a malicious interest rate contract since he has nothing to earn out of this behaviour. |
The permissioned actors the protocol refers to are the protocol controlled This issue involves a malicious pool deployer (which can be anyone). Deploying pools is permission-less, which is why the protocol was interested in such issues as they clearly stated in the README:
|
I agree with the escalation of this issue to be High severity. For more information on what I think about the rule, you can see this comment: #234 (comment) Planning to accept the escalation and make this issue High severity. |
Result: |
Escalations have been resolved successfully! Escalation status:
|
@cvetanovv Can we reconsider this issue per this comment : #234 (comment)_ The report wrongly states that the funds are locked forever. ZeroLend has permission to make changes on the pools. Users can get back their funds after adjustment by ZeroLend |
The referenced comment is not accurate. Even if the protocol sets a new IRM through this only configurator function, the pool admin can instantly change it back to the malicious IRM using this only pool admin function. |
I agree with @0xSpearmint comment. Even if ZeroLend makes any changes, the malicious pool admin can immediately roll back the previous configuration. |
@cvetanovv |
@DemoreXTess That's not a problem. The labels of duplicate issues will be added after all escalations are resolved. |
Obsidian
High
Malicious pool deployer can set a malicious interest rate contract to lock funds of vault depositors
Summary
Once vault depositors have deposited funds into a pool, a malicious pool creator can upgrade the
interestRateStrategy
contract (usingPoolConfigurator.setReserveInterestRateStrategyAddress()
to make all calls to it revert.As a result any function of the protocol that calls
updateInterestRates()
will revert becauseupdateInterestRates()
makes the following call:The main impact is that now withdrawals will revert because
executeWithdraw()
callsupdateInterestRates()
which will always revert, so the funds that vault users deposited into this pool are lost forever.Root Cause
Allowing the pool deployer to specify any
interestRateStrategyAddress
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
interestRateStrategy
contract to make all calls to it revertImpact
All the funds deposited to the pool from the vault will be lost
PoC
No response
Mitigation
Use protocol whitelisted interest rate calculation contracts
The text was updated successfully, but these errors were encountered: