search

code-423n4 / 2021-04-vader-findings

1 stars 0 forks source link

Unrestricted access to `lockUnits` allows an attacker to steal funds from any user. #315

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

shw

Vulnerability details

Impact

The lockUnits and unlockUnits functions in Pools.sol allow anyone to call without any restrictions or access control on the caller. An attacker can steal any user's member units by directly calling lockUnits.

Proof of Concept

Referenced code: Pool.sol#L179-L187

PoC: Link to PoC See the file 300_lockUnits.js for a PoC of this attack. To run it, use npx hardhat test 300_lockUnits.js.

Tools Used

None

Recommended Mitigation Steps

Add access control on both functions to allow calls only from the router, e.g., require(msg.sender == router).

strictly-scarce commented 3 years ago

https://github.com/code-423n4/2021-04-vader-findings/issues/208

0xBrian commented 3 years ago

https://github.com/vetherasset/vaderprotocol-contracts/issues/102

dmvt commented 3 years ago

duplicate of #208