strictly-scarce
commented
3 years ago Vether contract is outside of contest
Open code423n4 opened 3 years ago
strictly-scarce
commented
3 years ago Vether contract is outside of contest
dmvt
commented
3 years ago https://github.com/code-423n4/2021-04-vader-findings/issues/3#issuecomment-849043144
The warden should be paid out on this issue, in my opinion, because the code was included in the repo to be reviewed. The work to review the contract was done despite the fact that the team has addressed the issue and has already deployed vether.sol. I do not think that any issues related to Vether.sol should be included in the final report generated by @code423n4.
It was unclear to me (and obviously most of the wardens) that Vether.sol was considered out of scope.
Handle
jvaqa
Vulnerability details
Impact
Anyone Can Avoid All Vether Transfer Fees By Adding Their Address to the Vether ExcludedAddresses List.
Vether.sol implements a fee on every token transfer, unless either the sender or the recipient exists on a list of excluded addresses (mapAddress_Excluded). However, the addExcluded() function in Vether.sol has no restrictions on who can call it. So any user can call addExcluded with their own address as the argument, and bypass all transfer fees.
Proof of Concept
Alice calls:
(1) Vether.addExcluded(aliceAddress), which adds Alice's address to mapAddress_Excluded. (2) Alice can now freely transfer Vether with no fees.
Recommended Mitigation Steps
Add restrictions to who can call addExcluded, perhaps by restricting it to a caller set by DAO.sol