Skip to content

feat: Lyra incident #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pinalikefruit wants to merge 6 commits into
base: master
Choose a base branch
from
Open

feat: Lyra incident #102

pinalikefruit wants to merge 6 commits into from

Conversation

@pinalikefruit
Copy link
Contributor

@pinalikefruit pinalikefruit commented Nov 11, 2025

Simple, reproducible attack for missing data validation, to bring in recent content related to the categories of Data Validation and Bridges

nine-december
nine-december reviewed Dec 1, 2025
View reviewed changes
test/Bad_Data_Validation/LyraDepositWrapper/README.md Outdated

- **Whitelist Addresses:** The `socketVault` parameter should not have been an arbitrary address. The contract should maintain a whitelist of trusted vault addresses.

- **Input Validation:** The fix is to validate inputs properly. The function should have required the deposit amount to be greater than zero.
Copy link
Collaborator

@nine-december nine-december Dec 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this check would not protect against the attack.

LYRA_DEPOSIT_WRAPPER.depositToLyra{value: 0}(
    address(USDC),
    ATTACKER, // socketVault: The address to grant approval to.
    false,
    1,        // amount: something greater than the min deposit (would get it back afterwards).
    1,
    address(WETH)
);

and then directly from the ATTACKER, pull the approved tokens.

The issue is fixed by:

  • validating inputs
  • removing that infinite approval using specific-amounts (or, if needed, resetting the approval back to zero at the very end of the call).
  • The worst thing here is the arbitrary targets and parameters allowed by the lack of checks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nine-december nine-december nine-december left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pinalikefruit @nine-december