Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obsidian - Malicious pool deployer can set a malicious interest rate contract to lock funds of vault depositors #233

Open
sherlock-admin2 opened this issue Sep 10, 2024 · 13 comments
Open

Obsidian - Malicious pool deployer can set a malicious interest rate contract to lock funds of vault depositors #233

sherlock-admin2 opened this issue Sep 10, 2024 · 13 comments
Labels
Escalation Resolved This issue's escalations have been approved/rejected High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Sep 10, 2024
edited by sherlock-admin3
Loading

Obsidian

High

Malicious pool deployer can set a malicious interest rate contract to lock funds of vault depositors

Summary

Once vault depositors have deposited funds into a pool, a malicious pool creator can upgrade the interestRateStrategy contract (using PoolConfigurator.setReserveInterestRateStrategyAddress() to make all calls to it revert.

As a result any function of the protocol that calls updateInterestRates() will revert because updateInterestRates() makes the following call:

(vars.nextLiquidityRate, vars.nextBorrowRate) = IReserveInterestRateStrategy(_reserve.interestRateStrategyAddress)
      .calculateInterestRates(
      /* PARAMS */
    );

The main impact is that now withdrawals will revert because executeWithdraw() calls updateInterestRates() which will always revert, so the funds that vault users deposited into this pool are lost forever.

Root Cause

Allowing the pool deployer to specify any interestRateStrategyAddress

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. Vault users deposit into the pool
  2. the deployer sets their interestRateStrategy contract to make all calls to it revert
  3. All calls to withdraw funds from the pool will revert, the vault depositors have lost their funds

Impact

All the funds deposited to the pool from the vault will be lost

PoC

No response

Mitigation

Use protocol whitelisted interest rate calculation contracts
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Excluded Excluded by the judge without consulting the protocol or the senior labels Sep 20, 2024
This was referenced Sep 20, 2024
Closed
Closed
@nevillehuang
Copy link
Collaborator

Invalid, require malicious admin

Essentially we expect all permissioned actors to behave rationally.

@sherlock-admin3 sherlock-admin3 changed the title Joyous Cedar Tortoise - Malicious pool deployer can set a malicious interest rate contract to lock funds of vault depositors Obsidian - Malicious pool deployer can set a malicious interest rate contract to lock funds of vault depositors Oct 3, 2024
@sherlock-admin3 sherlock-admin3 added Non-Reward This issue will not receive a payout and removed Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Oct 3, 2024
@iamnmt
Copy link

iamnmt commented Oct 3, 2024

Escalate

Per the contest's README

There are two set of actors. Actors who manage pools and actors who mange vaults. If an action done by one party causes the other party to suffer losses we'd want to consider that.

This statement makes this issue valid.

@sherlock-admin3
Copy link
Contributor

Escalate

Per the contest's README

There are two set of actors. Actors who manage pools and actors who mange vaults. If an action done by one party causes the other party to suffer losses we'd want to consider that.

This statement makes this issue valid.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin4 sherlock-admin4 added the Escalated This issue contains a pending escalation label Oct 3, 2024
@zarkk01
Copy link

zarkk01 commented Oct 13, 2024

IMO, the issue is invalid due to this statement of the sponsor.

Essentially we expect all permissioned actors to behave rationally.

It is, absolutely, irrational for a deployer to set a malicious interest rate contract since he has nothing to earn out of this behaviour.

@0xSpearmint
Copy link

The permissioned actors the protocol refers to are the protocol controlled PoolConfigurator and owner roles. They can be expected to act rationally.

This issue involves a malicious pool deployer (which can be anyone).

Deploying pools is permission-less, which is why the protocol was interested in such issues as they clearly stated in the README:

There are two set of actors. Actors who manage pools and actors who mange vaults. If an action done by one party causes the other party to suffer losses we'd want to consider that.

@cvetanovv cvetanovv mentioned this issue Oct 15, 2024
Open
@cvetanovv
Copy link

I agree with the escalation of this issue to be High severity. For more information on what I think about the rule, you can see this comment: #234 (comment)

Planning to accept the escalation and make this issue High severity.

@Joshuajee Joshuajee mentioned this issue Oct 15, 2024
Open
@WangSecurity WangSecurity added High A High severity issue. and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Oct 18, 2024
@sherlock-admin2 sherlock-admin2 added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Oct 18, 2024
@WangSecurity
Copy link

WangSecurity commented Oct 18, 2024
edited
Loading

Result:
High
Has duplicates

@WangSecurity WangSecurity reopened this Oct 18, 2024
@sherlock-admin2
Copy link
Contributor Author

sherlock-admin2 commented Oct 18, 2024
edited
Loading

Escalations have been resolved successfully!

Escalation status:

@sherlock-admin3 sherlock-admin3 removed the Escalated This issue contains a pending escalation label Oct 18, 2024
@sherlock-admin4 sherlock-admin4 added the Escalation Resolved This issue's escalations have been approved/rejected label Oct 18, 2024
@DemoreXTess
Copy link

DemoreXTess commented Oct 22, 2024
edited
Loading

@cvetanovv Can we reconsider this issue per this comment : #234 (comment)_

The report wrongly states that the funds are locked forever. ZeroLend has permission to make changes on the pools. Users can get back their funds after adjustment by ZeroLend

@0xSpearmint
Copy link

The referenced comment is not accurate.

Even if the protocol sets a new IRM through this only configurator function, the pool admin can instantly change it back to the malicious IRM using this only pool admin function.

@cvetanovv
Copy link

I agree with @0xSpearmint comment. Even if ZeroLend makes any changes, the malicious pool admin can immediately roll back the previous configuration.

@0xNirix 0xNirix mentioned this issue Oct 24, 2024
Open
@DemoreXTess
Copy link

DemoreXTess commented Oct 24, 2024
edited
Loading

@cvetanovv
Is there a problem in this one, it says escalation resolved with has duplicates but the label is not added.

@cvetanovv
Copy link

@DemoreXTess That's not a problem. The labels of duplicate issues will be added after all escalations are resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Escalation Resolved This issue's escalations have been approved/rejected High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@cvetanovv @iamnmt @zarkk01 @DemoreXTess @nevillehuang @WangSecurity @sherlock-admin2 @0xSpearmint @sherlock-admin3 @sherlock-admin4