28646 - [SC - Insight] Resubmission with Pause Bypass Potential Exploi...
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on Feb 22nd 2024 at 23:05:17 UTC by @offside0011 for
Report ID: #28646
Report type: Smart Contract
Report severity: Insight
Target: https://etherscan.io/address/0x7276925e42f9c4054afa2fad80fa79520c453d6a
Impacts:
Theft of unclaimed yield
Please refer to the previous submissions for technical details: https://bugs.immunefi.com/dashboard/submission/28611 https://bugs.immunefi.com/dashboard/submission/28614
Dust stETH could still be stolen from the current depositor.
These issues are already documented in the audit reports from BlockSec and Quantstamp, and the Puffer Team has been notified.
In response to the previous issue, the team confirmed that:
Puffer Depositor swap functions are in scope, but due to them being paused bugs will only be considered if they can bypass the pause mechanism.
However, these swap functions are still accessible on the mainnet. We have already demonstrated the vulnerability (the misconfiguration) in our previous POC, which can be found at https://bugs.immunefi.com/dashboard/submission/28614. The POC successfully works on block number 19281954.
Currently, only a small amount of dust (approximately $46) is vulnerable. The functions should be paused.
We demonstrated the accessibility of the swap functions by checking the authority (AccessManager) of the depositor.
The result indicates that an arbitrary address (0x1111111111111111111111111111111111111111) can call the depositor (0x4aA799C5dfc01ee7d790e3bf1a7C2257CE1DcefF) using the selector of the swap function, swapAndDeposit1Inch(address,uint256,bytes) at block number 19284511.