You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
function _msgSenderForMarket(uint256_marketId)
internalviewvirtualreturns (address)
{
if (
msg.data.length>=20&&isTrustedMarketForwarder(_marketId, _msgSender())
) {
address sender;
assembly {
sender :=shr(96, calldataload(sub(calldatasize(), 20)))
}
// Ensure the appended sender address approved the forwarder// @audit no market wise seperationrequire(
=> _approvedForwarderSenders[_msgSender()].contains(sender),
"Sender must approve market forwarder"
);
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
User approves A as a trusted forwarder for MA
A is also made the trusted forwarder of MB and MC by the respective owners
A can now spoof the user for MB and MC also which they have not intended
Impact
The trusted forwarder for a market can spoof the user across all markets. This can result in bids and lendings for terms that the user doesn't align with
PoC
No response
Mitigation
Seperate forwarders marketwise
The text was updated successfully, but these errors were encountered:
Dandy Caramel Tortoise
Medium
marketForwarder for a specific market can spoof a user all markets
Summary
Marketforwarder is shared across all markets for a user instead of just the intended market
Root Cause
The
approveMarketForwarder
is supposed to approve a forwarder contract for a specific market.But this is not followed. If a user approves a forwarder for one market, that forwarder can spoof the user for any other market in which they are considered trusted
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
Impact
The trusted forwarder for a market can spoof the user across all markets. This can result in bids and lendings for terms that the user doesn't align with
PoC
No response
Mitigation
Seperate forwarders marketwise
The text was updated successfully, but these errors were encountered: