IOP _ ThunderNFT 34519 - [Smart Contract - High] users cant withdraw their tokens when specific asse

Submitted on Wed Aug 14 2024 12:53:37 GMT-0400 (Atlantic Standard Time) by @zeroK for IOP | ThunderNFT

Report ID: #34519

Report type: Smart Contract

Report severity: High

Target: https://github.com/ThunderFuel/smart-contracts/tree/main/contracts-v1/pool

Impacts:

Permanent freezing of funds

Description

Brief/Intro

the pool.sw contract allow users to deposit and withdraw whitelisted tokens into the pool contract, this is possible by calling the deposit function and withdraw function, however there is an issue when users want to withdraw their tokens, as the withdraw token check if the token is whitelisted or not, and this can cause issue and lock user funds in case if the assetManger contract decide to remove specific token from whitelist, this way users token will be stuck forever.

Vulnerability Details

the deposit function allow users to deposit specific amount for allowed tokens only as shown below:


    /// Deposits the supported asset into this contract
    /// and assign the deposited amount to the depositer as bid balance
    #[storage(read, write), payable]
    fn deposit() {
        let asset_manager_addr = storage.asset_manager.read().unwrap().bits();
        let asset_manager = abi(AssetManager, asset_manager_addr);
        require(asset_manager.is_asset_supported(msg_asset_id()), PoolErrors::AssetNotSupported); //@audit only supported

        let address = msg_sender().unwrap();
        let amount = msg_amount();
        let asset = msg_asset_id();

        let current_balance = _balance_of(address, asset);
        let new_balance = current_balance + amount;
        storage.balance_of.insert((address, asset), new_balance);

        log(Deposit {
            address,
            asset,
            amount
        });
    }

however same check exist in the withdraw function too:

    /// Withdraws the amount of assetId from the contract
    /// and sends to sender if sender has enough balance
    #[storage(read, write)]
    fn withdraw(asset: AssetId, amount: u64) {
        let sender = msg_sender().unwrap();
        let current_balance = _balance_of(sender, asset);
        require(current_balance >= amount, PoolErrors::AmountHigherThanBalance);

        let asset_manager_addr = storage.asset_manager.read().unwrap().bits();
        let asset_manager = abi(AssetManager, asset_manager_addr);
        require(asset_manager.is_asset_supported(asset), PoolErrors::AssetNotSupported); //@audit prevent if asset removed

        let new_balance = current_balance - amount;
        storage.balance_of.insert((sender, asset), new_balance);

        transfer(sender, asset, amount);

        log(Withdrawal {
            address: sender,
            asset,
            amount,
        });
    }

this can lead to stuck of funds since asset can be added and removed from whitelist using the add/remove asset function below:

    /// Adds asset into supported assets vec
    #[storage(read, write)]
    fn add_asset(asset: AssetId) {
        storage.owner.only_owner();
        require(
            !_is_asset_supported(asset),
            AssetManagerErrors::AssetAlreadySupported
        );

        storage.is_supported.insert(asset, true);
        storage.assets.push(asset);
    }

    /// Removes asset from supported assets vec
    #[storage(read, write)]
    fn remove_asset(index: u64) {
        storage.owner.only_owner();
        let asset = storage.assets.remove(index);
        storage.is_supported.insert(asset, false);
    }

if owner called the remove function while the tokens exist in the pool then all users with this token can not withdraw back their tokens amount.

we set the severity to high for reason below:

the owner can add back the token again by calling add_asset function but its not recommended behavior.

Impact Details

users amount can be temporary freez in pool contract.

References

there is no need to check for token whitelisted tokens when user withdraw since deposit allow to deposit whitelist tokens only

Proof of concept

Proof of Concept

the POC show that the token can be added and removed any time:

//run this test below asse_manger/src/main.sw

#[test]

fn test_attack_asset() {
    let assetManger = abi(AssetManager, CONTRACT_ID);
    assetManger.initialize();
    let asset_id = AssetId::default();
    assetManger.add_asset(asset_id);

    //users deposit between this gap

    assetManger.remove_asset(0);

}

PreviousIOP _ ThunderNFT 34496 - [Smart Contract - High] Users cant withdraw their funds for removed assets NextIOP _ ThunderNFT 34522 - [Smart Contract - Low] Self-transfer would inflate the balance

Last updated 1 year ago

Was this helpful?

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagReferences

hashtagProof of concept

hashtagProof of Concept