Type: #validation #arbitraryData
Project: Sushiswap
Date: 09/04/23
Blockchain: Multichain
Problem: Callback address is not validated.
The sushi router doesn't validate that the v3Pool address caller is a v3 pool (Uniswap router does), so anyone could pass any arbitrary contract which can callback sushiRouter.swap3callback() with any from address.
The Hacker:
1) Creates malicious contract and passes arbitrary data which calls the malicious contract.
2) The malicious Pool calls back the RouteProcessor2 uniswapV3SwapCallback function in its swap function. Since the lastCalledPool variable has been set to Pool, the check for msg.sender in uniswapV3SwapCallback is bypassed.
3) Constructs token transfer parameters when the malicious Pool calls back the uniswapV3SwapCallback function, stealing tokens from other users who have approved RouteProcessor2.
Discoverer: NaN, was hacked
Harm: 3 M $
link
Project: Sushiswap
Date: 09/04/23
Blockchain: Multichain
Problem: Callback address is not validated.
The sushi router doesn't validate that the v3Pool address caller is a v3 pool (Uniswap router does), so anyone could pass any arbitrary contract which can callback sushiRouter.swap3callback() with any from address.
The Hacker:
1) Creates malicious contract and passes arbitrary data which calls the malicious contract.
2) The malicious Pool calls back the RouteProcessor2 uniswapV3SwapCallback function in its swap function. Since the lastCalledPool variable has been set to Pool, the check for msg.sender in uniswapV3SwapCallback is bypassed.
3) Constructs token transfer parameters when the malicious Pool calls back the uniswapV3SwapCallback function, stealing tokens from other users who have approved RouteProcessor2.
Discoverer: NaN, was hacked
Harm: 3 M $
link