Full Report
Zapper is a wallet platform that helps make the platform easy to use. When joining a pool, you need several different types of assets. If a user wanted to join this pool, it would require many different transactions to do. In order to solve this, Zapper will swap the coins for you and deposit them into the liquidity pool. With Uniswap and SushiSwap liquidity pools, you can get positions by depositing funds into pools, known as zapping in. Additionally, you can withdraw your funds from the pool, known as zapping out. In order to do this, a user had to allow the Zapper to perform these operations. For this to be possible, Zapper allowed users to specify an arbitrary call to any liquidity pool. This call allowed for a controlled address and a controlled call data. As a result, an attacker could setup transferFrom() to force the contract to transfer all LP tokens from any victim to the attacker. Since, at this point, a user has allowed the contract access to the coins. This allows for a cross account zap out, in terms of the service being used. To fix this vulnerability, Zapper removed the ability to send over arbitrary call data. Regardless, interesting bug!
Analysis Summary
# Vulnerability: Zapper Arbitrary Call Data Allows LP Token Theft
## CVE Details
- CVE ID: N/A (No official CVE assigned based on the provided text)
- CVSS Score: N/A (Score not provided)
- CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - *Note: This is an assumption based on the general nature of arbitrary code execution/call data misuse; the specific CWE for arbitrary function call vulnerability might be more precise, like CWE-864 or CWE-77, but is not specified.*)
## Affected Systems
- Products: Zapper Platform (specifically the function allowing users to "zap in" to Uniswap and SushiSwap liquidity pools)
- Versions: Prior to the removal of arbitrary call data functionality.
- Configurations: Systems configured to allow users to specify arbitrary call data when authorizing liquidity pool operations.
## Vulnerability Description
The Zapper platform allowed users to "zap in" (deposit funds/acquire positions) into Uniswap and SushiSwap liquidity pools by authorizing the Zapper contract to perform operations on their behalf. To facilitate this, the Zapper implementation permitted users to specify an *arbitrary call* to any liquidity pool, which included controlled parameters for the target address and the call data. An attacker could leverage this feature by crafting a `transferFrom()` call data structure that the compromised Zapper contract would execute, coercing the contract to move liquidity provider (LP) tokens, which the user had authorized Zapper to hold or manage, directly from the victim's authorized pool position to the attacker's address. This resulted in a cross-account theft of LP tokens.
## Exploitation
- Status: Implied successful exploitation scenario described, but specific public exploitation status unknown. (Described as an exploit path.)
- Complexity: Low (If the attack vector relied on a standard transaction structure that could be submitted by a victim authorizing the call, or if the attacker controlled the input used to trigger the arbitrary call.)
- Attack Vector: Network (Transactions submitted to the blockchain)
## Impact
- Confidentiality: Low (Access to private data is not the primary concern)
- Integrity: **High** (Loss of user-controlled LP tokens)
- Availability: Low (Liquidity pool positions might become temporarily inaccessible or unusable by the victim.)
## Remediation
### Patches
- The vulnerability was fixed by **removing the ability for users to send over arbitrary call data** when initiating "zap in" or "zap out" operations. (Specific patched version numbers are not provided.)
### Workarounds
- None explicitly mentioned, as the logic flaw was remediated via code changes. Users should only interact with services that explicitly validate and restrict function calls to known safe functions.
## Detection
- Indicators of compromise: Unexplained loss of user-held LP tokens following interactions with Zapper's liquidity pooling functions.
- Detection methods and tools: Blockchain monitoring tools flagging transactions where the Zapper contract executes unexpected or unauthorized `transferFrom()` calls on behalf of users to external, non-standard addresses.
## References
- Vendor Advisories: Not provided in the article text.
- Relevant links - defanged: N/A