Malicious market can drain funds from MultiInvoker
Description
The MultiInvoker.sol contract interacts with Market and Vault contracts. However, there is no check that these are valid instances of their respective factories.
The MultiInvoker contract implicitly assumes that the underlying token for every market is DSU; hence, the withdraw function only sends out DSU.
function _withdraw(address account, UFixed6 amount, bool wrap) internal {
if (wrap) {
_unwrap(account, UFixed18Lib.from(amount));
} else {
DSU.push(account, UFixed18Lib.from(amount));
}
}
This means a malicious market can use a dummy base token to drain any DSU present in the MultiInvoker contract.
Impact
We created a proof of concept (POC) for this bug (section ). In this POC, we demonstrate how a malicious market, using an arbitrary token as the underlying token may drain the MultiInvoker contract of any DSU.
An excerpt of the POC output is shown below:
user's USDC balance: 0
user opens a maker position in the market
user liquidates the position
user's USDC balance: 1000000000
attack successful
However, the MultiInvoker contract is not designed to hold any funds, so this finding is only flagged as informational in nature.
Recommendations
None.