dinkras - A malicious account can drain all funds in a vault in some cases

Question

dinkras - A malicious account can drain all funds in a vault in some cases

Closed this issue 7 months ago · 0 comments

dinkras

medium

A malicious account can drain all funds in a vault in some cases

Summary

Jobs have the option to be executed by anyone(if chosen by the owner). In this case anyone can call theOpenRelay.exec()at anytime and collect the fees for himself. This could also happen if a keeper network becomes malicious and executes the jobs not at the scheduled time, but very frequently in order to drain all the vault funds via the fee mechanism.

Vulnerability Detail

In case the vault owner has authorized anyone to call his AutomationVault.exec() or in case of the already authorized keeper network becomes malicious, those accounts can drain all the vault funds to themselfs.

This could happen because OpenRelay.sol specifies a recipeint for the fee as a param. Therefore those actors could call the exec() whenever they want(with a huge amount of frequent thxs) and drain the vault by getting their fees each time an execution happens.
_feeRecipient=attacker
https://github.com/sherlock-audit/2024-04-xkeeper/blob/main/xkeeper-core/solidity/contracts/relays/OpenRelay.sol#L21C12-L24

Impact

All user's vaults which have enabled OpenRelay loose their funds

Code Snippet

https://github.com/sherlock-audit/2024-04-xkeeper/blob/main/xkeeper-core/solidity/contracts/relays/OpenRelay.sol#L21C12-L24

Tool used

Manual Review

Recommendation

Acknowledge the risk. Maybe inform the users about the risks before they make such setups(callers=any)

Duplicate of #4