permit improvement to pipeline can be front runned
Report ID
#14917
Target
Report type
Smart Contract
Impacts
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Has PoC?
Yes
Description
pipeline: 0xb1bE0000bFdcDDc92A8290202830C4Ef689dCeaa depot: 0xDEb0f000082fD56C10f449d4f8497682494da84D "Pipeline enables the execution an arbitrary composition of valid actions within the EVM in a single transaction using Ether. Depot is a wrapper for Pipeline that supports loading Ether and non-Ether assets into Pipeline." users have to approve their funds to pipeline so then they can use it to execute their actions in a single call . as there is no access control over pipeline contract anyone can make calls from it and thus if someone try to approve his funds to the pipeline and leave it to the next transaction , it can be stolen. since most of users that are interacting with pipeline are EOA addresses thus they cant approve and call to pipeline at same transaction , so they have to first approve to depot contract in once transaction and then call transfertoken at depost contract and transfer those amounts to the pipeline in another transaction , and begin their actions using pipeline .
there is also another gas-saving way to do this , depot contract has permitERC20 function . a user can sign a message to approve his funds to pipeline , then call permitERC20 at depost contract and then call transfertoken and then he is ready to use pipeline . in this way the approval and the rest of stuff are all in one transaction , not in two .
alice calls farm in Depot and inside data he will attach signatrues to use permitERC20 function . bob sees the transaction , bob calls the permitERC20 with same signatures as what alice was trying to use . now pipeline has approval to spend alice's funds . bob calls token.transferfrom(alice , pipeline, amount) in pipeline contract to make balance in pipeline contract bob calls token.transferfrom(pipeline , bob, amount) bob stole alice's funds
i believe that its hard to fix that issue as soon as an implemention like this exists in pipeline ." Depot is a wrapper for Pipeline" i think it would be better to revert calls that are trying to call permitERC20 when spender is set to pipeline
require(spender != 0xb1bE0000bFdcDDc92A8290202830C4Ef689dCeaa "funds at risk")
in this way no risk would threat users that are trying to work with pipeline using depot .
Proof of concept
alice calls farm in Depot and inside data she will attach signatrues to use permitERC20 function . bob sees the transaction , bob calls the permitERC20 with same signatures as what alice was trying to use . now pipeline has approval to spend alice's funds . bob calls token.transferfrom(alice , pipeline, amount) in pipeline contract to convert allowances to balances . bob calls token.transferfrom(pipeline , bob, amount) bob stole alice's funds
BIC Response
This is not a security bug report because it describes expected behavior.
Say Alice calls farm
in Depot and inside the data she attaches signatures to use permitERC20
. Bob sees the transaction and calls permitERC20
with same the signatures as Alice. Now Pipeline has approval to spend Alice's funds.
Alice should use permitERC20
to approve Depot (not Pipeline) to spend Alice's funds. Any approval of Pipeline could result in loss of funds, but this is true for any EOA or malicious smart
contract. Pipeline should never receive approval of any token and never needs to receive approval.
Due to these reasons, we are closing the submission and no reward will be issued.