search

code-423n4 / 2021-06-tracer-findings

1 stars 0 forks source link

oracle price and decimals updateable by everyone #22

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

gpersoon

Vulnerability details

Impact

The functions setDecimals and setPrice in GasOracle.sol and Oracle.sol are not protected by onlyOwner so the values can be updated by everyone. It seems it just are example contracts so the risk is low, however its safer to add onlyOwner in case someone uses this as a template and doesn't add access control.

Proof of Concept

https://github.com/code-423n4/2021-06-tracer/blob/main/src/contracts/oracle/GasOracle.sol#L64 function setDecimals(uint8 _decimals) external { decimals = _decimals; }

// https://github.com/code-423n4/2021-06-tracer/blob/main/src/contracts/oracle/Oracle.sol#L21 function setPrice(uint256 _price) public { price = _price; }

function setDecimals(uint8 _decimals) external {
    decimals = _decimals;
}

Tools Used

Recommended Mitigation Steps

Add onlyOwner to setDecimals and setPrice

raymogg commented 3 years ago

Duplicate of #78

loudoguno commented 3 years ago

changed risk from 1 to 0 as per judges sheet