Anyone can call the newLocker function in the *LockerFactory.sol contracts to create a new contract.
This makes later checks if the contract has been created by the factory (e.g. isValidSubFactory) less useful.
This might be a step in using other vulnerabilities.
Proof of Concept
CollateralLockerFactory.sol: function newLocker(address collateralAsset) external returns (address) {
DebtLockerFactory.sol: function newLocker(address loan) external returns (address) {
FundingLockerFactory.sol: function newLocker(address liquidityAsset) public returns (address) {
LiquidityLockerFactory.sol: function newLocker(address liquidityAsset) external returns (address) {
StakeLockerFactory.sol: function newLocker(address stakeAsset,address liquidityAsset) external returns (address) {
Handle
gpersoon
Vulnerability details
Impact
Anyone can call the newLocker function in the *LockerFactory.sol contracts to create a new contract. This makes later checks if the contract has been created by the factory (e.g. isValidSubFactory) less useful. This might be a step in using other vulnerabilities.
Proof of Concept
CollateralLockerFactory.sol: function newLocker(address collateralAsset) external returns (address) { DebtLockerFactory.sol: function newLocker(address loan) external returns (address) { FundingLockerFactory.sol: function newLocker(address liquidityAsset) public returns (address) { LiquidityLockerFactory.sol: function newLocker(address liquidityAsset) external returns (address) { StakeLockerFactory.sol: function newLocker(address stakeAsset,address liquidityAsset) external returns (address) {
MapleGlobals.sol: function isValidSubFactory(address superFactory, address subFactory, uint8 factoryType) external view returns(bool) { return validSubFactories[superFactory][subFactory] && ISubFactory(subFactory).factoryType() == factoryType; }
Tools Used
Editor
Recommended Mitigation Steps
Check if this is the intended behaviour and add additional checks if required.