mikemcdonald
commented
4 years ago Won't fix. setBLabs won't be used in bronze since the EXIT_FEE is 0. And the additional UX complexity does not outweigh the benefits of splitting setController
Closed ggrieco-tob closed 4 years ago
mikemcdonald
commented
4 years ago Won't fix. setBLabs won't be used in bronze since the EXIT_FEE is 0. And the additional UX complexity does not outweigh the benefits of splitting setController
Severity: Low Difficulty: Medium
Description
An incorrect use of the functions to set privileged addresses in contracts can irreversibly set them to invalid addresses, such as 0x0.
The owner or the controller of the contracts can change the address of privileged addressed using functions such as
setControllerandsetBLabs:https://github.com/balancer-labs/balancer-core/blob/master/contracts/BPool.sol#L205-L212 https://github.com/balancer-labs/balancer-core/blob/master/contracts/BFactory.sol#L51-L54
However, these functions do not check for invalid values (e.g. 0x0) and they work in a single transaction.
Exploit Scenario
Alice creates a pool. She uses some off-chain code to manage it . However, a software issue in her code calls the
setControllerfunction with an uninitialized value (0x0). The BPool code accepts this new value and the locks up Alice's pool. As a result of that, she will need to create a new pool.Recommendation
Short term, split this important functionality in several functions. For instance, to change the current controller, implement
setControllerandacceptControllerwhich reject any null address. Additionally, add arenounceControllerfunction that allows to set the controller to 0x0 if needed.Long term, use Echidna and Manticore to verify that the administrative addresses cannot be set to incorrect values.