📄

Report #14917

Report Date
December 18, 2022

permit improvement to pipeline can be front runned

Report Info

Report ID

#14917

Target

Report type

Smart Contract

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Has PoC?

Yes

Description

pipeline: 0xb1bE0000bFdcDDc92A8290202830C4Ef689dCeaa depot: 0xDEb0f000082fD56C10f449d4f8497682494da84D "Pipeline enables the execution an arbitrary composition of valid actions within the EVM in a single transaction using Ether. Depot is a wrapper for Pipeline that supports loading Ether and non-Ether assets into Pipeline." users have to approve their funds to pipeline so then they can use it to execute their actions in a single call . as there is no access control over pipeline contract anyone can make calls from it and thus if someone try to approve his funds to the pipeline and leave it to the next transaction , it can be stolen. since most of users that are interacting with pipeline are EOA addresses thus they cant approve and call to pipeline at same transaction , so they have to first approve to depot contract in once transaction and then call transfertoken at depost contract and transfer those amounts to the pipeline in another transaction , and begin their actions using pipeline .

there is also another gas-saving way to do this , depot contract has permitERC20 function . a user can sign a message to approve his funds to pipeline , then call permitERC20 at depost contract and then call transfertoken and then he is ready to use pipeline . in this way the approval and the rest of stuff are all in one transaction , not in two .

alice calls farm in Depot and inside data he will attach signatrues to use permitERC20 function . bob sees the transaction , bob calls the permitERC20 with same signatures as what alice was trying to use . now pipeline has approval to spend alice's funds . bob calls token.transferfrom(alice , pipeline, amount) in pipeline contract to make balance in pipeline contract bob calls token.transferfrom(pipeline , bob, amount) bob stole alice's funds

i believe that its hard to fix that issue as soon as an implemention like this exists in pipeline ." Depot is a wrapper for Pipeline" i think it would be better to revert calls that are trying to call permitERC20 when spender is set to pipeline

require(spender != 0xb1bE0000bFdcDDc92A8290202830C4Ef689dCeaa "funds at risk")

in this way no risk would threat users that are trying to work with pipeline using depot .

Proof of concept

alice calls farm in Depot and inside data she will attach signatrues to use permitERC20 function . bob sees the transaction , bob calls the permitERC20 with same signatures as what alice was trying to use . now pipeline has approval to spend alice's funds . bob calls token.transferfrom(alice , pipeline, amount) in pipeline contract to convert allowances to balances . bob calls token.transferfrom(pipeline , bob, amount) bob stole alice's funds

BIC Response

This is not a security bug report because it describes expected behavior.

Say Alice calls farm in Depot and inside the data she attaches signatures to use permitERC20. Bob sees the transaction and calls permitERC20 with same the signatures as Alice. Now Pipeline has approval to spend Alice's funds.

Alice should use permitERC20 to approve Depot (not Pipeline) to spend Alice's funds. Any approval of Pipeline could result in loss of funds, but this is true for any EOA or malicious smart contract. Pipeline should never receive approval of any token and never needs to receive approval.

Due to these reasons, we are closing the submission and no reward will be issued.