Closed gangov closed 9 months ago
The access control implemented in the update_config function of the pool contract is implemented as follows:
update_config
Code snippet from the update_config function in the contracts/pool/src/contract.rs file. if sender != utils::get_admin(&env) { panic!("Pool: UpdateConfig: Unauthorized"); }
Code snippet from the update_config function in the contracts/pool/src/contract.rs file.
contracts/pool/src/contract.rs
if sender != utils::get_admin(&env) { panic!("Pool: UpdateConfig: Unauthorized"); }
The issue is that sender is not the invoker of the contract, but it is a parameter from the input when invoking the function.
sender
Any user can change the configuration of the pool.
Implement an access control pattern similar to the one found in the upgrade function:
upgrade
Code snippet from the upgrade function. It can be found in the contracts/pool/src/contract.rs file. let admin: Address = utils::get_admin(&env); admin.require_auth();
Code snippet from the upgrade function. It can be found in the contracts/pool/src/contract.rs file.
let admin: Address = utils::get_admin(&env); admin.require_auth();
The access control implemented in the
update_configfunction of the pool contract is implemented as follows:The issue is that
senderis not the invoker of the contract, but it is a parameter from the input when invoking the function.Impact
Any user can change the configuration of the pool.
Recommendation
Implement an access control pattern similar to the one found in the
upgradefunction: