28646 - [SC - Insight] Resubmission with Pause Bypass Potential Exploi...

Submitted on Feb 22nd 2024 at 23:05:17 UTC by @offside0011 for Boost | Puffer Finance

Report ID: #28646

Report type: Smart Contract

Report severity: Insight

Target: https://etherscan.io/address/0x7276925e42f9c4054afa2fad80fa79520c453d6a

Impacts:

• Theft of unclaimed yield

Description

This is a resubmission of #28611 and #28614

Please refer to the previous submissions for technical details: https://bugs.immunefi.com/dashboard/submission/28611 https://bugs.immunefi.com/dashboard/submission/28614

Vulnerability

Dust stETH could still be stolen from the current depositor.

These issues are already documented in the audit reports from BlockSec and Quantstamp, and the Puffer Team has been notified.

Explanation

In response to the previous issue, the team confirmed that:

Puffer Depositor swap functions are in scope, but due to them being paused bugs will only be considered if they can bypass the pause mechanism.

However, these swap functions are still accessible on the mainnet. We have already demonstrated the vulnerability (the misconfiguration) in our previous POC, which can be found at https://bugs.immunefi.com/dashboard/submission/28614. The POC successfully works on block number 19281954.

Recommendation

Currently, only a small amount of dust (approximately $46) is vulnerable. The functions should be paused.

Proof of Concept

We demonstrated the accessibility of the swap functions by checking the authority (AccessManager) of the depositor.

The result indicates that an arbitrary address (0x1111111111111111111111111111111111111111) can call the depositor (0x4aA799C5dfc01ee7d790e3bf1a7C2257CE1DcefF) using the selector of the swap function, swapAndDeposit1Inch(address,uint256,bytes) at block number 19284511.