'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Kinetic Disclosed Report
Audit report Kinetic Audit ContestRisk of Exchange Rate Manipulation Caused by Multiple Entry Point Tokens
Target
https://github.com/kinetic-market/public-money-market-contracts
Vulnerability Details
Vulnerability Detail
The function CErc20.sol::sweepToken is being used by the admin to sweep accidental ERC-20 transfers to the contract. But if the token inputed is having multiple entry points, there is a significant loss for the protocol to loose funds, not only for protocol but also for users by liquidated by attacker.
function sweepToken(EIP20NonStandardInterface token) external {
require(msg.sender == admin, 'CErc20::sweepToken: only admin may call');
require(address(token) != underlying, "CErc20::sweepToken: can not sweep underlying token");
uint256 balance = token.balanceOf(address(this));
token.transfer(admin, balance);
}
Reference: https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2
As explained in the above image, admin may enter another entry point, here it is 0x8dd5fbce2f6a956c3022ba3663759011dd51e73e. And in the blog mentioned in Reference, it is clearly stated how severe the bug is and how it effects the exchange rate of the protocol, which also discussed in validation steps.
Impact
Impact is Critical, and likelihood is Medium (because there is a chance where owner is malicious), so the severity of bug is High. Even though the function sweepToken is in hands of the owner, there is a chance where address of the token inputed is address of another entry point of the underlying asset. Which makes the contract to drain the total amount of underlying asset to owner, such that attack can repay the tokens which were borrowed to claim the collateral of borrowers, which is very severe as it is loss for both the protocol and users
Validation steps
How can an attacker profit?
Assume: the token with multiple entry point is TUSD
- Liquidate users who provided TUSD as collateral for their loans.
- Borrow TUSD, execute the attack, then pay back less TUSD.
- Execute the attack, then mint cTUSD. When the funds are returned to the contract, redeem the cTUSD for a profit.
Note that currently to my knowledge there is no token with multiple entry points in flare oracle, but there may be a case where they add token with multiple entry points in future, so there is no risk in being alert.
Mitigation
function sweepToken(EIP20NonStandardInterface token) override external {
require(msg.sender == admin, 'CErc20::sweepToken: only admin may call');
require(address(token) != underlying, "CErc20::sweepToken: can not sweep underlying token");
uint256 underlyingBalanceBefore = underlying.balanceOf(address(this));
uint256 balance = token.balanceOf(address(this));
token.transfer(admin, balance);
uint256 underlyingBalanceAfter = underlying.balanceOf(address(this));
require(underlyingBalanceBefore == underlyingBalanceAfter);
}
Comments on this report are hidden 
Details 
Participants (3) 
