Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Resonate>Low findings>Incomplete whitelist and blacklist functionality in ResonateHelper
GeneralOverview
Findings
Low (2)Inconsistent interest calculationsIncomplete functionality
Informational (1)
DiscussionOracle attacksReentrancyComposabilityCode maturity
Audit ResultsAudit Results
Category: Business Logic

Incomplete whitelist and blacklist functionality in ResonateHelper

Low Severity
Low Impact
Low Likelihood

Description

Once a fxSelector has been added to the whitelist, it cannot later be blacklisted.

For example, if the function has not been blacklisted it can be set in the whitelist:

function whiteListFunction(uint32 selector) external onlySandwichBot glassUnbroken {
    require(!blackListedFunctionSignatures[selector], "ER030");
    whiteListedFunctionSignatures[selector] = true;
}

And if the function has been whitelisted, it can still be blacklisted:

function blackListFunction(uint32 selector) external onlySandwichBot glassUnbroken {
    blackListedFunctionSignatures[selector] = true;
}

However, if a function has been whitelisted and is then blacklisted, it will still pass the validation check in proxyCall(…) because function logic only requires the fxSelector to exist in the whitelist:

function proxyCall(bytes32 poolId, address vault, address[] memory targets, uint[] memory values, bytes[] memory calldatas) external onlySandwichBot glassUnbroken {
    for (uint256 i = 0; i < targets.length; i++) {
        require(calldatas[i].length >= 4, "ER028"); //Prevent calling fallback function for re-entry attack
        bytes memory selector = BytesLib.slice(calldatas[i], 0, 4);
        uint32 fxSelector = BytesLib.toUint32(selector, 0);
        require(whiteListedFunctionSignatures[fxSelector], "ER025");
    }

    ISmartWallet(_getWalletForFNFT(poolId)).proxyCall(vault, targets, values, calldatas);
}

Impact

If the sandwichbot were to mistakenly set a dangerous function (or a function that later turned out to be dangerous) to the whitelist they would not be able to later block that function from being passed to proxyCall(...).

Recommendations

Include logic to blacklist previously whitelisted functions. The blacklist should be immediately set to include increaseAllowance and approve as these functions can be used to increase spending allowance, which can trigger transactions that would pass the balance checks on proxyCall(...) in ResonateSmartWallet.

Remediation

Revest has added in the functionality that would allow for blacklisting of previously whitelisted functions in commit f95f9d5ac4ac31057cef185d57a1a7b03df5f199. The functions increaseAllowance and approve have been added to the blacklist in commit f2428392e0ce022cd6fde9cf41e654879c03119c.

Zellic © 2024Back to top ↑