The functions setDecimals and setPrice in GasOracle.sol and Oracle.sol are not protected by onlyOwner so the values can be updated by everyone.
It seems it just are example contracts so the risk is low, however its safer to add onlyOwner in case someone uses this as a template and doesn't add access control.
Handle
gpersoon
Vulnerability details
Impact
The functions setDecimals and setPrice in GasOracle.sol and Oracle.sol are not protected by onlyOwner so the values can be updated by everyone. It seems it just are example contracts so the risk is low, however its safer to add onlyOwner in case someone uses this as a template and doesn't add access control.
Proof of Concept
https://github.com/code-423n4/2021-06-tracer/blob/main/src/contracts/oracle/GasOracle.sol#L64 function setDecimals(uint8 _decimals) external { decimals = _decimals; }
// https://github.com/code-423n4/2021-06-tracer/blob/main/src/contracts/oracle/Oracle.sol#L21 function setPrice(uint256 _price) public { price = _price; }
Tools Used
Recommended Mitigation Steps
Add onlyOwner to setDecimals and setPrice