WildSniper - The `Vault` contract in the Mellow protocol allows users to register withdrawal requests to an arbitrary address, potentially enabling malicious actors to disrupt the withdrawal process by registering withdrawals to blacklisted addresses. #297

sherlock-admin4 · 2024-06-27T15:39:45Z

WildSniper

Medium

The `Vault` contract in the Mellow protocol allows users to register withdrawal requests to an arbitrary address, potentially enabling malicious actors to disrupt the withdrawal process by registering withdrawals to blacklisted addresses.

Summary

The Vault contract in the Mellow protocol allows users to register withdrawal requests to an arbitrary address, potentially enabling malicious actors to disrupt the withdrawal process by registering withdrawals to blacklisted addresses.

Vulnerability Detail

The registerWithdrawal function in the Vault contract permits users to specify a to address, which is the recipient address for the withdrawal request. This opens up a potential attack vector where a malicious user can repeatedly register withdrawal requests to blacklisted addresses, causing subsequent withdrawal operations to revert when attempting to process these requests.

Impact

The impact of this vulnerability is considered medium. It has the potential to break core contract functionality by disrupting the withdrawal process. If operators are forced to process withdrawals individually to avoid blacklisted addresses, it could lead to delays and inefficiencies. In a worst-case scenario, users might be compelled to initiate emergency withdrawals, potentially resulting in the loss of funds.

Code Snippet

The relevant code snippets are:

https://github.com/sherlock-audit/2024-06-mellow/blob/26aa0445ec405a4ad637bddeeedec4efe1eba8d2/mellow-lrt/src/Vault.sol#L434-L473

function registerWithdrawal(
    address to,
    uint256 lpAmount,
    uint256[] memory minAmounts,
    uint256 deadline,
    uint256 requestDeadline,
    bool closePrevious
) external nonReentrant checkDeadline(deadline) checkDeadline(requestDeadline) {
    // ...
    WithdrawalRequest memory request = WithdrawalRequest({
        to: to, // Arbitrary 'to' address
        // ...
    });
    // ...
}

function pendingWithdrawers(
    uint256 limit,
    uint256 offset
) external view returns (address[] memory result) {
    // ...
    for (uint256 i = 0; i < count; i++) {
        result[i] = withdrawers_.at(offset + i);
    }
    return result;
}

Tool used

Manual Review

Recommendation

To mitigate this vulnerability, the Vault contract should implement a mechanism to validate the to address in the registerWithdrawal function. This could involve maintaining a list of approved or blacklisted addresses and checking the to address against this list before allowing the withdrawal request to be registered. or to check by a call to usdc contract

Additionally, the processWithdrawals function should be modified to skip or handle withdrawal requests to blacklisted addresses gracefully, without reverting the entire operation.

Duplicate of #109

The text was updated successfully, but these errors were encountered:

sherlock-admin3 added the Sponsor Disputed The sponsor disputed this issue's validity label Jun 30, 2024

github-actions bot closed this as completed Jul 6, 2024

github-actions bot added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 6, 2024

sherlock-admin3 added Non-Reward This issue will not receive a payout and removed Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 15, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WildSniper - The `Vault` contract in the Mellow protocol allows users to register withdrawal requests to an arbitrary address, potentially enabling malicious actors to disrupt the withdrawal process by registering withdrawals to blacklisted addresses. #297

WildSniper - The `Vault` contract in the Mellow protocol allows users to register withdrawal requests to an arbitrary address, potentially enabling malicious actors to disrupt the withdrawal process by registering withdrawals to blacklisted addresses. #297

sherlock-admin4 commented Jun 27, 2024 •

edited by sherlock-admin3

Loading

WildSniper - The Vault contract in the Mellow protocol allows users to register withdrawal requests to an arbitrary address, potentially enabling malicious actors to disrupt the withdrawal process by registering withdrawals to blacklisted addresses. #297

WildSniper - The Vault contract in the Mellow protocol allows users to register withdrawal requests to an arbitrary address, potentially enabling malicious actors to disrupt the withdrawal process by registering withdrawals to blacklisted addresses. #297

Comments

sherlock-admin4 commented Jun 27, 2024 • edited by sherlock-admin3 Loading

The Vault contract in the Mellow protocol allows users to register withdrawal requests to an arbitrary address, potentially enabling malicious actors to disrupt the withdrawal process by registering withdrawals to blacklisted addresses.

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

WildSniper - The `Vault` contract in the Mellow protocol allows users to register withdrawal requests to an arbitrary address, potentially enabling malicious actors to disrupt the withdrawal process by registering withdrawals to blacklisted addresses. #297

WildSniper - The `Vault` contract in the Mellow protocol allows users to register withdrawal requests to an arbitrary address, potentially enabling malicious actors to disrupt the withdrawal process by registering withdrawals to blacklisted addresses. #297

sherlock-admin4 commented Jun 27, 2024 •

edited by sherlock-admin3

Loading

The `Vault` contract in the Mellow protocol allows users to register withdrawal requests to an arbitrary address, potentially enabling malicious actors to disrupt the withdrawal process by registering withdrawals to blacklisted addresses.