Light
DarkOne Bug Per Day
One H/M every day from top Wardens
Join over 1135 wardens!
Receive the email at any hour!
VaultFactory allows deployment of vaults with non-authentic TwabController and PrizePool
Lines of code
Vulnerability details
Impact
A malicious vault can be deployed via the official VaultFactory contract. Users may lose funds while interacting with such vaults.
Proof of Concept
The VaultFactory.deployVault function allows deploying Vault contracts. The factory contract maintains a mapping to verify that a vault has been deployed via the factory–this allows users to check the authenticity of a vault to ensure the that implementation of a vault is authentic (i.e. not altered/malicious).
However, the business logic of vaults is split into multiple contracts: Vault, TwabController, and PrizePool. TwabController tracks the historical balances of users to determine their chances of winning prizes. PrizePool runs regular draws and distributes prizes among winners. Thus, it's critical that, in every authentic Vault contract, the implementations of TwabController and PrizePool are also authentic. Otherwise, a malicious actor could deploy an authentic vault via the official VaultFactory and provide malicious TwabController and PrizePool contracts, which, for example, incorrectly determine user balances, favors some specific addresses when determining winners, or steals the prize token. In the current implementation, users are be able to check the authenticity of a vault contract, but not the authenticity of the TwabController and the PrizePool contracts a vault integrates with.
Tools Used
Manual review
Recommended Mitigation Steps
Consider implementing a TwabController and a PrizePool factory contracts. In the contracts, consider tracking the addresses of deployed TwabController and PrizePool contracts. In the VaultFactory.deployVault function, consider checking that the passed _twabController and _prizePool address were deployed via the respective factory contracts.
Assessed type
Other