Closed code423n4 closed 3 years ago
shw
The lockUnits and unlockUnits functions in Pools.sol allow anyone to call without any restrictions or access control on the caller. An attacker can steal any user's member units by directly calling lockUnits.
lockUnits
unlockUnits
Pools.sol
Referenced code: Pool.sol#L179-L187
PoC: Link to PoC See the file 300_lockUnits.js for a PoC of this attack. To run it, use npx hardhat test 300_lockUnits.js.
300_lockUnits.js
npx hardhat test 300_lockUnits.js
None
Add access control on both functions to allow calls only from the router, e.g., require(msg.sender == router).
require(msg.sender == router)
https://github.com/code-423n4/2021-04-vader-findings/issues/208
https://github.com/vetherasset/vaderprotocol-contracts/issues/102
duplicate of #208
Handle
shw
Vulnerability details
Impact
The
lockUnits
andunlockUnits
functions inPools.sol
allow anyone to call without any restrictions or access control on the caller. An attacker can steal any user's member units by directly callinglockUnits
.Proof of Concept
Referenced code: Pool.sol#L179-L187
PoC: Link to PoC See the file
300_lockUnits.js
for a PoC of this attack. To run it, usenpx hardhat test 300_lockUnits.js
.Tools Used
None
Recommended Mitigation Steps
Add access control on both functions to allow calls only from the router, e.g.,
require(msg.sender == router)
.