Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dandy Caramel Tortoise - marketForwarder for a specific market can spoof a user all markets #60

Open
sherlock-admin4 opened this issue Dec 10, 2024 · 0 comments

Comments

@sherlock-admin4
Copy link

Dandy Caramel Tortoise

Medium

marketForwarder for a specific market can spoof a user all markets

Summary

Marketforwarder is shared across all markets for a user instead of just the intended market

Root Cause

The approveMarketForwarder is supposed to approve a forwarder contract for a specific market.

     * @notice Approves a forwarder contract to use their address as a sender for a specific market.
     * @notice The forwarder given must be trusted by the market given.
     * @param _marketId An ID for a lending market.
     * @param _forwarder A forwarder contract address.
     */
    function approveMarketForwarder(uint256 _marketId, address _forwarder)
        external
    {
        require(
            isTrustedMarketForwarder(_marketId, _forwarder),
            "Forwarder must be trusted by the market"
        );
        _approvedForwarderSenders[_forwarder].add(_msgSender());
        emit MarketForwarderApproved(_marketId, _forwarder, _msgSender());

But this is not followed. If a user approves a forwarder for one market, that forwarder can spoof the user for any other market in which they are considered trusted

    function _msgSenderForMarket(uint256 _marketId)
        internal
        view
        virtual
        returns (address)
    {
        if (
            msg.data.length >= 20 &&
            isTrustedMarketForwarder(_marketId, _msgSender())
        ) {
            address sender;
            assembly {
                sender := shr(96, calldataload(sub(calldatasize(), 20)))
            }
            // Ensure the appended sender address approved the forwarder
            // @audit no market wise seperation
            require(
=>              _approvedForwarderSenders[_msgSender()].contains(sender),
                "Sender must approve market forwarder"
            );

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. User approves A as a trusted forwarder for MA
  2. A is also made the trusted forwarder of MB and MC by the respective owners
  3. A can now spoof the user for MB and MC also which they have not intended

Impact

The trusted forwarder for a market can spoof the user across all markets. This can result in bids and lendings for terms that the user doesn't align with

PoC

No response

Mitigation

Seperate forwarders marketwise

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant