In Router.sol, the setup of the five anchors can be interrupted by anyone adding a new anchor due to the lack of access control of the listAnchor function. Also, duplicate anchors are allowed. If the same anchor is added three times, then this anchor biases the result of getAnchorPrice.
PoC: Link to PoC
See the file 200_listAnchor.js for a PoC of this attack. To run it, use npx hardhat test 200_listAnchor.js.
Tools Used
None
Recommended Mitigation Steps
Only allow listAnchor to be called from the deployer by adding a require statement. Also, check if an anchor is added before by require(_isCurated == false).
Handle
shw
Vulnerability details
Impact
In
Router.sol
, the setup of the five anchors can be interrupted by anyone adding a new anchor due to the lack of access control of thelistAnchor
function. Also, duplicate anchors are allowed. If the same anchor is added three times, then this anchor biases the result ofgetAnchorPrice
.Proof of Concept
Referenced code: Router.sol#L245-L252
PoC: Link to PoC See the file
200_listAnchor.js
for a PoC of this attack. To run it, usenpx hardhat test 200_listAnchor.js
.Tools Used
None
Recommended Mitigation Steps
Only allow
listAnchor
to be called from the deployer by adding arequire
statement. Also, check if an anchor is added before byrequire(_isCurated == false)
.