UTBExector contract tokens balance could be fully drained

[c4-bot-8]

Lines of code

https://github.com/code-423n4/2024-01-decent/blob/011f62059f3a0b1f3577c8ccd1140f0cf3e7bb29/src/UTB.sol#L134-L162
https://github.com/code-423n4/2024-01-decent/blob/011f62059f3a0b1f3577c8ccd1140f0cf3e7bb29/src/UTB.sol#L108-L124
https://github.com/code-423n4/2024-01-decent/blob/011f62059f3a0b1f3577c8ccd1140f0cf3e7bb29/src/UTB.sol#L311-L319

Vulnerability details

Impact

A high-severity bug has been identified within the contract UTB's private function _swapAndExecute:

    function _swapAndExecute(
        SwapInstructions memory swapInstructions,
        address target,
        address paymentOperator,
        bytes memory payload,
        address payable refund
    ) private {
        (address tokenOut, uint256 amountOut) = performSwap(swapInstructions);
        if (tokenOut == address(0)) { // in case is native token
            executor.execute{value: amountOut}(
                target,            //
                paymentOperator,   //
                payload,           // @audit --> unchecked variables
                tokenOut,           //
                amountOut,          //
                refund             // 
            );
        } else {
            IERC20(tokenOut).approve(address(executor), amountOut);
            executor.execute(
                target,                
                paymentOperator,       // @audit --> same thing as above
                payload,
                tokenOut,
                amountOut,
                refund
            );
        }
    }

The vulnerability arises from inadequate input validation in the functions calling _swapAndExecute, specifically swapAndExecute and receiveFromBridge. The unchecked inputs are subsequently utilized in the UTBExecutor contract's execute function, posing a significant risk.

An attacker could exploit this flaw to execute arbitrary commands, potentially leading to the unauthorized transfer of ERC20 tokens from the executor contract balance.

Proof of Concept

1. Use a manipulated input with a crafted payload(like transfer(address,uint256) using params as attacker address and executor contract balance as the uint256) and a target that is the erc20 selected for the first token drain
2. call one of the two function affected (receiveFromBridge or swapAndExecute) with the manipulated input crafted above
3. repeat the process with all the erc20 tokens present in the UTBExecutor that could be immediately sold after that resulting in profit for the attacker and loss of funds for the protocol users

Tools Used

manual review

Recommended Mitigation Steps

To address this vulnerability, implement comprehensive input validation within the _swapAndExecute function. Verify the integrity of inputs such as target and payload in both swapAndExecute and receiveFromBridge functions before invoking _swapAndExecute. Additionally, consider incorporating access controls and restrictions within the UTBExecutor's execute function to ensure secure execution of commands.

Assessed type

Invalid Validation

[c4-pre-sort]

raymondfam marked the issue as sufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #15

[raymondfam]

Fund Accumulation: Other than the UTBFeeCollector, and DcntEth, the contracts are not intended to hold on to any funds or unnecessary approvals. Any native value or erc20 flowing through the protocol should either get delivered or refunded.

[c4-pre-sort]

raymondfam marked the issue as insufficient quality report

[c4-judge]

alex-ppg marked the issue as not a duplicate

[alex-ppg]

The UTBExecutor is not meant to hold funds per the contest's scope, rendering this submission to concern accidentally lost funds that are regarded as OOS.

[c4-judge]

alex-ppg marked the issue as unsatisfactory:
Out of scope