Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return value of call() in UTBExecutor is not checked causing loss of funds #700

Closed
c4-bot-5 opened this issue Jan 23, 2024 · 3 comments
Closed

Return value of call() in UTBExecutor is not checked causing loss of funds #700

c4-bot-5 opened this issue Jan 23, 2024 · 3 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-25 insufficient quality report This report is not of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-bot-5
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-01-decent/blob/011f62059f3a0b1f3577c8ccd1140f0cf3e7bb29/src/UTBExecutor.sol#L41

Vulnerability details

Impact

Currently in the UTBExecutor.sol contract, there are two instances where the return value of call is not checked. In the first instance, this would lead to complete loss of output tokens received from the swap. In the second instance, this would break any external application changes that were supposed to be made by calling the payload.

Proof of Concept

Both instances exist in the execute() function.

First instance:

  • Assume both the target and refund address are the same address.
  • On Line 53, if the call to the target reverts, we enter the if block on Line 54.
  • On Line 55, since refund is the same address as target, the call reverts there as well. The issue here is that the return value of call made to the refund address is not checked, which allows further execution of the contract. i.e. we return early. This would cause permanent loss of funds for the user.
File: UTBExecutor.sol
50:         bool success;
51:         if (token == address(0)) {
53:             (success, ) = target.call{value: amount}(payload);
54:             if (!success) {
55:                 (refund.call{value: amount}(""));
56:             }
57:             return;
58:         }

Second instance:

  • On line 75, the return value is cached but it is not checked to be true or false. Due to this if the call fails, this could break any external application changes that were supposed to be made by calling the payload.
File: UTBExecutor.sol
73:         } else {
74:             
75:             (success, ) = target.call(payload);
76:         }

Tools Used

Manual Review

Recommended Mitigation Steps

Check the return value of call() by wrapping it around a require statement.

Assessed type

Error
@c4-bot-5 c4-bot-5 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jan 23, 2024
c4-bot-5 added a commit that referenced this issue Jan 23, 2024
@c4-bot-5
MrPotatoMagic issue #700
5a35ac1
@c4-pre-sort
Copy link

raymondfam marked the issue as insufficient quality report

@c4-pre-sort c4-pre-sort added the insufficient quality report This report is not of sufficient quality label Jan 25, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #25

@c4-judge
Copy link

c4-judge commented Feb 2, 2024

alex-ppg marked the issue as unsatisfactory:
Invalid

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Feb 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-25 insufficient quality report This report is not of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-pre-sort @c4-bot-5