Silly Slate Goblin
Medium
- https://github.com/sherlock-audit/2024-10-morpho-x-index/blob/main/index-coop-smart-contracts/contracts/adapters/MorphoLeverageStrategyExtension.sol#L324
- https://github.com/sherlock-audit/2024-10-morpho-x-index/blob/main/index-coop-smart-contracts/contracts/adapters/MorphoLeverageStrategyExtension.sol#L396
onlyEOA in MorphoLeverageStrategyExtension relies on tx.origin on certain function like rebalance and ripcord to various attack vectors like sandwiching, re-entrancy, etc.
from EIP 7702:
Once code exists in the EOA, it's possible for self-sponsored EIP-7702 transactions to have msg.sender == tx.origin anytime the code in the EOA dispatches a call. Without EIP-7702, this situation can only ever arise in the topmost execution layer of a transaction. Therefore, this EIP breaks that invariant and so it affects smart contracts containing require(msg.sender == tx.origin) checks. This check is used for at least three purposes:
- Ensuring that msg.sender is an EOA (given that tx.origin always has to be an EOA). This invariant does not depend on the execution layer depth and, therefore, is not affected.
- Protecting against atomic sandwich attacks like flash loans, which rely on the ability to modify state before and after the execution of the target contract as part of the same atomic transaction. This protection would be broken by this EIP. However, relying on tx.origin in this way is considered bad practice, and can already be circumvented by miners conditionally including transactions in a block.
- Preventing reentrancy.
As mentioned in summary, tx.origin check is insufficient
N/A
- EIP7702 being approved (which is very likely as per ACD in next hardfork)
Sandwich the rebalance and ripcord transaction by selling loanToken/collateralToken, followed by rebalance then buying back loanToken/collateralToken cheaper
It also opens up various possibility of re-entrancy leading to grieving by flash loaning all funds from morpho and calling rebalance inside callback which needs to be explored further for impact.
Loss for all the LPs due to getting bad exchanges rates or in worst case leading to some undefined behavior due to re-entrancy.
same as "Attack Path" section
solution for checking EOA or not would be non-trivial post EIP 7702