📄

Report #14304

Report Date
December 5, 2022

Depot contract may result for unintended actions

Report Info

Report ID

#14304

Target

Report type

Smart Contract

Impacts

  • Contract fails to deliver promised returns, but doesn't lose value
  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Has PoC?

Yes

Bug Description

The depot contract 0xDEb0f000082fD56C10f449d4f8497682494da84D allows many transfers on different tokens, as example "transferERC1155"

function transferERC1155(
        IERC1155 token,
        address to,
        uint256 id,
        uint256 value
    ) external payable {
        token.safeTransferFrom(msg.sender, to, id, value, new bytes(0));
    }

and the caller can set the token as well, however the depot contract does not check whether the token address is a contract or not, this can allows a mistaken call (call to self-destructed contract) will result for the transaction success while it wasn't !

You can read more at :

The low-level functions call, delegatecall and staticcall return true as their first return value if the account called is non-existent, as part of the design of the EVM. Account existence must be checked prior to calling if needed.

that said, this may allows for the contract process unwanted transactions and may allows users to lose their funds

Impact

The depot contract process unwanted transactions and may allows users/contract who rely on it to lose their funds/tokens

Proof of concept

Used truffle

  1. as example we will be setting a non-contract at "token" address,
const Web3 = require('web3');
// save the 0xDEb0f000082fD56C10f449d4f8497682494da84D contract at tetxt/abi.json

const abi = require('./test/abi.json');
const v_contract = "0xDEb0f000082fD56C10f449d4f8497682494da84D";
const user = "0x85c2e1d98613EAf82B9ceE12845929971b1cEC6b"
const vc = new web3.eth.Contract(abi,v_contract);

await vc.methods.transferERC721(user,user,1).send({from: user, gas: 6721975, gasPrice: '30000000'});
  1. The transaction will succeed, however there is no transfer has occured
  2. Now if a contract/user rely on it to transfer tokens it can be tricked

BIC Response

This is not a security bug report because the report outlines expected functionality. Pipeline and Depot were built with the philosophy that it is not the smart contract's role to protect users against misuse.

Due to these reasons, we are closing the submission and no reward will be issued.