lucas-manuel
commented
3 years ago Known issue, but since it will cost a large amount and PDs are whitelisted, we are ignoring it.
Open code423n4 opened 3 years ago
lucas-manuel
commented
3 years ago Known issue, but since it will cost a large amount and PDs are whitelisted, we are ignoring it.
Handle
0xRajeev
Vulnerability details
Impact
Pools are meant to be created only by Pool Delegates who are trusted actors in the protocol and, per the specification (https://github.com/maple-labs/maple-core/wiki/Security#trust-assumptions), must be validated by the Maple protocol, have a public reputation, and LPs and Stakers are electing them to manage their funds in a safe and responsible way.
Also, per the specification (https://github.com/maple-labs/maple-core/wiki/Protocol-Actors#pool-delegate) they manage liquidity pools in the protocol.
However, createPool has no access control and may be called by anyone. While Liquidity Providers and Borrowers should ideally not interact with such arbitrary pools created by unknown entities (i.e. not known Pool Delegates), this may nevertheless grief the protocol and cause confusion among actors.
Proof of Concept
https://github.com/maple-labs/maple-core/blob/60a341f5cb4b5c4d85320d3ee1b2bae4322c5078/contracts/PoolFactory.sol#L58-L110
https://github.com/maple-labs/maple-core/wiki/Pool-Creation#pooldelegate-transactions
Tools Used
Manual Analysis
Recommended Mitigation Steps
Whitelist the Pool Delegates in the protocol and allow only whitelisted Pool Delegates to create pools in the protocol.