Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enami - KYC Address Allocation Not Properly Enforced in invest() Function #299

Open
sherlock-admin3 opened this issue Nov 17, 2024 · 0 comments
Open

enami - KYC Address Allocation Not Properly Enforced in invest() Function #299

sherlock-admin3 opened this issue Nov 17, 2024 · 0 comments

Comments

@sherlock-admin3
Copy link

sherlock-admin3 commented Nov 17, 2024
edited
Loading

enami

Medium

KYC Address Allocation Not Properly Enforced in invest() Function

Summary

The invest() function allows an address other than the kycAddress to make investments, which could lead to [unauthorized investments] for [users] as [attackers] can [bypass KYC restrictions by calling the invest() function with a different address].

Root Cause

In the current implementation, the caller of the invest() function does not need to be the same as the kycAddress, allowing unauthorized individuals to make investments on behalf of other users. This bypasses the KYC check, which is intended to prevent such actions.

https://github.com/sherlock-audit/2024-11-vvv-exchange-update/blob/1791f41b310489aaa66de349ef1b9e4bd331f14b/vvv-platform-smart-contracts/contracts/vc/VVVVCInvestmentLedger.sol#L141

Internal pre-conditions

  1. The invest() function allows any address to call the function, regardless of whether it matches the kycAddress.
  2. There is no explicit validation to ensure that the address calling the function matches the associated kycAddress.

External pre-conditions

  • No external conditions specifically impact this issue directly. The problem lies in the internal implementation and the lack of address validation.

Attack Path

  1. The attacker calls the invest() function with an address different from the kycAddress.
  2. The protocol does not validate the caller’s address against the kycAddress, allowing the attacker to bypass the KYC restriction.
  3. This results in unauthorized investments being made on behalf of another user, potentially leading to fraud or manipulation.

Impact

The users suffer from unauthorized investments being made on their behalf, potentially causing financial losses or manipulation of their investment accounts. The protocol suffers from a breach in KYC requirements, undermining its integrity.

PoC

// Example of bypassing KYC check by using a different address
address attacker = 0x1234...; // Attacker's address
address kycAddress = 0xSomeValidAddress; // The valid KYC address
uint256 amountToInvest = 1000;

// Attacker calls invest with different address
contract.invest({
    amountToInvest: amountToInvest,
    exchangeRateNumerator: 1,
    kycAddress: kycAddress,
    feeNumerator: 50
});

Mitigation

  • Add a check in the invest() function to ensure that the caller’s address is the same as the kycAddress to prevent unauthorized investments.
  • Ensure that only the KYC-approved address can initiate investment transactions.
@sherlock-admin3 sherlock-admin3 changed the title Ancient Cloud Bird - KYC Address Allocation Not Properly Enforced in invest() Function enami - KYC Address Allocation Not Properly Enforced in invest() Function Nov 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin3