Open code423n4 opened 3 years ago
0xRajeev
The error message string for the require statement on L160 of LoanFactory.sol incorrectly uses PoolFactory as the source contract for this message instead of LoanFactory, which could be confusing when this error is hit.
require(msg.sender == globals.governor() || admins[msg.sender], “PoolFactory:UNAUTHORIZED");
https://github.com/maple-labs/maple-core/blob/355141befa89c7623150a83b7d56a5f5820819e9/contracts/LoanFactory.sol#L160
Manual Analysis
Change error message to: require(msg.sender == globals.governor() || admins[msg.sender], “LoanFactory:UNAUTHORIZED");
Informational, will address
lucas-manuel
commented
3 years ago
Handle
0xRajeev
Vulnerability details
Impact
The error message string for the require statement on L160 of LoanFactory.sol incorrectly uses PoolFactory as the source contract for this message instead of LoanFactory, which could be confusing when this error is hit.
require(msg.sender == globals.governor() || admins[msg.sender], “PoolFactory:UNAUTHORIZED");
Proof of Concept
https://github.com/maple-labs/maple-core/blob/355141befa89c7623150a83b7d56a5f5820819e9/contracts/LoanFactory.sol#L160
Tools Used
Manual Analysis
Recommended Mitigation Steps
Change error message to: require(msg.sender == globals.governor() || admins[msg.sender], “LoanFactory:UNAUTHORIZED");