Zapper Arbitrary Call Data Bug Fix Postmortem

Summary

Whitehat Lucash-dev, a recipient of the Whitehat Scholarship at Immunefi, found a critical vulnerability in Zapper on June 9 that would have allowed a malicious user to steal LP tokens on an ongoing basis through injecting arbitrary call data. After Immunefi’s disclosure of the bug, Zapper paused its contracts using the toggleContractActive() function, which prevents the vulnerable function from being called and then issued a fix within 24 hours. Zapper is paying Lucash-dev a bounty of $25,000 for his find.

Vulnerability Analysis

Zapper has a set of contracts that help users get positions (aka, “zap in”) in Uniswap and Sushiswap liquidity pools (LP) and another set of contracts that help them withdraw the liquidity (aka “zap out”) from the pools. To perform that task, the contracts must be approved by users to perform transfers of LP tokens on their behalf. The “Zap out” contracts (both Uniswap and Sushiswap) had a functionality (functions ZapOutWithPermit and ZapOut2PairTokenWithPermit) that allowed users to specify an arbitrary call to any liquidity pool, with arbitrary data, in order to obtain the permission to transfer funds from the user.

Since there was no validation of the data provided by the user for the call, an attacker could pass the function the ABI-encoded data to call “transferFrom” and force the contract to transfer all LP tokens from any victim to the attacker. The end result is stealing LP tokens from the victim’s balance. The only requirement would be that the victim had previously approved the Zapper contract. Because users are expected to approve the contract, anyone submitting transactions to “Zap Out” would be a potential victim.

See the Proof of Concept for this attack below:

Vulnerability Fix

After the report, the Zapper team paused the contract and issued a bug fix within 24 hours. The fix blocked the previously vulnerable function from accepting arbitrary calldata. According to Zapper’s postmortem, in the future, parameters for the permit call will be computed on-chain.

Acknowledgements

We’d like to thank the Zapper team for their rapid and effective response to the bug report. Zapper paid out a bounty of $25,000 to the whitehat. To report additional vulnerabilities, please see Zapper’s bug bounty program with Immunefi. If you’re interested in protecting your project with a bug bounty like Zapper, visit the Immunefi services page and fill out the form.