Thinking of myself as ser , but yet confirmed it yet.
Thinking of myself as ser , but yet confirmed it yet.
Subscribe to c1pher
Subscribe to c1pher
Share Dialog
Share Dialog
<100 subscribers
<100 subscribers
Compund Finance storage collision
Compound Finance is one of the largest Fianace yet . It lets users to deposit their ETH or the acceptable ERC-20 into the contract . Based on the deposited ETH user recieve corresponding amount of cToken. User can redeem their token back by burning the cToken.
It also specially integrates the TUSD , this has rather a special functionality , the compound mostly relies on TUSD if user deposits the TUSD the compound Fi mints the cTUSD.
Vulnerability Details
So the compund Finance allows TUSD as their underlying asset . TUSD has a special functionality, it has double entry point meaning they both have seperate contract addresses but they rely on one single balance. The primary address is used by Compound.
In the compund finance there was a function called sweepToken which is useful for the users who have lost their funds in the contract so , they could recover those funds.
function sweepToken(address _token) external override returns (unit256) {
if (_token == underlyingasset){
revert();
}
uint256 balance = token.balanceof(address(this));
token.transfer(admin, balance);
}
What if we provide TUSD primary asset ofcourse it’d fail on revert since it is an underlying asset. If provide the secondary asset on the _token it send all the balance of the TUSD to admins account . The price of cTUSD is based on the balance of the TUSDN in the contract.
Since the price is zero ‘0’ due to multiplier of token balance in to calculation is zero . Ofcourse there is some calculation of the token. This inconsistent price can advantage of the user.
A malicious user can swap tokens or Borrow token at high price from the protocol and sell off while performing the attack.
Thank you!!!
Compund Finance storage collision
Compound Finance is one of the largest Fianace yet . It lets users to deposit their ETH or the acceptable ERC-20 into the contract . Based on the deposited ETH user recieve corresponding amount of cToken. User can redeem their token back by burning the cToken.
It also specially integrates the TUSD , this has rather a special functionality , the compound mostly relies on TUSD if user deposits the TUSD the compound Fi mints the cTUSD.
Vulnerability Details
So the compund Finance allows TUSD as their underlying asset . TUSD has a special functionality, it has double entry point meaning they both have seperate contract addresses but they rely on one single balance. The primary address is used by Compound.
In the compund finance there was a function called sweepToken which is useful for the users who have lost their funds in the contract so , they could recover those funds.
function sweepToken(address _token) external override returns (unit256) {
if (_token == underlyingasset){
revert();
}
uint256 balance = token.balanceof(address(this));
token.transfer(admin, balance);
}
What if we provide TUSD primary asset ofcourse it’d fail on revert since it is an underlying asset. If provide the secondary asset on the _token it send all the balance of the TUSD to admins account . The price of cTUSD is based on the balance of the TUSDN in the contract.
Since the price is zero ‘0’ due to multiplier of token balance in to calculation is zero . Ofcourse there is some calculation of the token. This inconsistent price can advantage of the user.
A malicious user can swap tokens or Borrow token at high price from the protocol and sell off while performing the attack.
Thank you!!!
No activity yet