tldr; Funds are safe!
Medium Risk Issue
Earlier this week we received a bounty submission for an issue with the V5 Vault.
WETH doesn’t have a “permit” function. Permit allows users to sign an approval off-chain, then submit the signature so that a deposit can be done in one transaction.
The vault function permitAndDeposit is the function that facilitates the approve + deposit in one transaction. For WETH, however, the permit silently fails. This means that anyone can deposit on someone’s behalf if that user has done an infinite approval.
While funds cannot be stolen, it would be annoying to have someone deposit your WETH for you. It’s a griefing attack.
Fortunately, only four accounts have done an infinite approval, and one of them is me!
Mitigation Steps
Short Term
The immediate step we took was to update the Cabana app so that approvals to the WETH vault are only for the deposit amount. This means that no one can have “deposits against their will” if they’ve used the Cabana app.
You can revoke your approval by depositing a non-zero amount through the app (or use other means). Only four accounts have infinite approval, and should revoke the approval:
0xa38445311cCd04a54183CDd347E793F4D548Df3F0x714b831eB02FE854283219B2B9f1c6951f46Dcb90x6ab223Aa761e64FCa5e384098f0c91C50c6eC4940xe9611e603F1678498131f617ffeB7827353D3657
Long Term
We have a fix for the vault queued in our backlog. We will apply the fix soon, so that we don’t have to worry about this in the future.
On-going Bounty Program
This issue was medium risk (griefing) according to the ImmuneFi Vulnerability Classification. We paid the whitehat out from the budget that was allocated for the upcoming ImmuneFi program.