Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Watchers::verifyRemoveLiquidity is missing implementation logic #1434

Open
c4-bot-8 opened this issue May 17, 2024 · 4 comments
Open

Watchers::verifyRemoveLiquidity is missing implementation logic #1434

c4-bot-8 opened this issue May 17, 2024 · 4 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-1520 grade-a insufficient quality report This report is not of sufficient quality QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_385_group AI based duplicate group recommendation

Comments

@c4-bot-8
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-04-noya/blob/9c79b332eff82011dcfa1e8fd51bad805159d758/contracts/governance/Watchers.sol#L8
https://github.com/code-423n4/2024-04-noya/blob/9c79b332eff82011dcfa1e8fd51bad805159d758/contracts/helpers/BaseConnector.sol#L94

Vulnerability details

https://docs.noya.ai/technical-architecture/technical-architecture/roles-in-noya

The Watchers role is responsible to make sure the execution of NOYA is going on correctly. If there is any misbehaving (like price manipulation or any suspicious actions from the keepers) the watchers can undo the action.

In the current implementation of the BaseConnector::sendTokensToTrustedAddress there is a call to the Watchers contract and more specifically the verifyRemoveLiquidity function that takes in 3 arguments - amount, newAmount and newData.

function sendTokensToTrustedAddress(address token, uint256 amount, address caller, bytes memory data)
        external
        returns (uint256)
    {
        emit TransferTokensToTrustedAddress(token, amount, caller, data);

        (address accountingManager,) = registry.getVaultAddresses(vaultId);

        if (msg.sender == accountingManager) {
            (,,,, address watcherContract,) = registry.getGovernanceAddresses(vaultId);

            (uint256 newAmount, bytes memory newData) = abi.decode(data, (uint256, bytes));

@>          Watchers(watcherContract).verifyRemoveLiquidity(amount, newAmount, newData);

            IERC20(token).safeTransfer(address(accountingManager), newAmount);
            amount = newAmount;
        } else if (registry.isAnActiveConnector(vaultId, msg.sender) || msg.sender == registry.flashLoan()) {
            IERC20(token).safeTransfer(address(msg.sender), amount);
        } else {
            uint256 routeId = abi.decode(data, (uint256));
            swapHandler.verifyRoute(routeId, msg.sender);
            if (caller != address(this)) revert IConnector_InvalidAddress(caller);
            IERC20(token).safeTransfer(msg.sender, amount);
        }

        _updateTokenInRegistry(token);

        return amount;
    }

However, inside the Watchers::verifyRemoveLiquidty , there is no implementation logic and nothing is being done with the passed arguments from the call made in BaseConnector::sendTokensToTrustedAddress.

pragma solidity 0.8.20;

import "./Keepers.sol";

contract Watchers is Keepers {
    constructor(address[] memory _owners, uint8 _threshold) Keepers(_owners, _threshold) { }
    function verifyRemoveLiquidity(uint256 withdrawAmount, uint256 sentAmount, bytes memory data) external view { }
}

Impact

The Watchers contract is missing its implementation logic, effectively leaving the protocol without a functioning Watchers role. This role is crucial for ensuring the integrity of strategy execution and for monitoring any misbehavior from the keepers.

Proof of Concept

https://github.com/code-423n4/2024-04-noya/blob/main/contracts/governance/Watchers.sol#L8

Tools Used

Manual Review

Recommended Mitigation Steps

Add the missing implementation logic to the Watchers::verifyRemoveLiquidity function to ensure that the Watchers contract has the necessary logic to fulfill its role.

Assessed type

Invalid Validation
@c4-bot-8 c4-bot-8 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 17, 2024
@c4-bot-13 c4-bot-13 added the 🤖_385_group AI based duplicate group recommendation label May 17, 2024
@c4-pre-sort
Copy link

DadeKuma marked the issue as duplicate of #1520

@c4-pre-sort c4-pre-sort added the insufficient quality report This report is not of sufficient quality label May 20, 2024
@c4-pre-sort
Copy link

DadeKuma marked the issue as insufficient quality report

@c4-judge
Copy link
Contributor

c4-judge commented Jun 2, 2024

gzeon-c4 changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jun 2, 2024
jacobheun pushed a commit that referenced this issue Jun 4, 2024
@c4-bot-4
TPSec issue #1434
0069f08
@PetarTolev
Copy link

Hi @gzeon-c4,

I would like to request a reconsideration of the severity for issue #1434. Although initially marked as QA, I believe it better aligns with the criteria for a Medium severity classification outlined in the Code4rena Docs:
2 — Med: Although assets aren't directly at risk, the protocol's functionality or availability could be impacted, potentially leading to value leaks via a hypothetical attack path under certain assumptions and external requirements.

Given that the Watchers are a critical component of Noya's security, as outlined in the Noya Security Measures, this issue significantly affects the protocol's governance and operational integrity.

The absence of implementation in the Watchers::verifyRemoveLiquidity function means there’s no validation of actions that should be monitored by the Watchers. This directly affects the protocol's ability to prevent misbehavior and consequently undermines the effectiveness of its security measures.

The missing logic creates a potential attack path where Keepers could exploit the lack of oversight, leading to unauthorized actions with severe and unpredictable consequences.

Although there is no immediate proof of attack, the lack of oversight presents a clear risk that needs to be addressed. Therefore, this issue fits the description of Medium severity, because it impacts the protocol's functionality and could lead to value leaks under certain conditions and external requirements (e.g., a Keeper misbehaving).

@C4-Staff C4-Staff reopened this Jun 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-1520 grade-a insufficient quality report This report is not of sufficient quality QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_385_group AI based duplicate group recommendation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@PetarTolev @c4-judge @c4-pre-sort @C4-Staff @c4-bot-8 @c4-bot-13