search

code-423n4 / 2021-04-vader-findings

1 stars 0 forks source link

Allowing duplicated anchors could cause bias on anchor price. #314

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

shw

Vulnerability details

Impact

In Router.sol, the setup of the five anchors can be interrupted by anyone adding a new anchor due to the lack of access control of the listAnchor function. Also, duplicate anchors are allowed. If the same anchor is added three times, then this anchor biases the result of getAnchorPrice.

Proof of Concept

Referenced code: Router.sol#L245-L252

PoC: Link to PoC See the file 200_listAnchor.js for a PoC of this attack. To run it, use npx hardhat test 200_listAnchor.js.

Tools Used

None

Recommended Mitigation Steps

Only allow listAnchor to be called from the deployer by adding a require statement. Also, check if an anchor is added before by require(_isCurated == false).

strictly-scarce commented 3 years ago

Deployer will list the anchors, seems highly unlikely they will get griefed in practice. Severity: 1