search

code-423n4 / 2021-07-spartan-findings

0 stars 0 forks source link

Missing input validation in realise() #216

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

0xsanson

Vulnerability details

Impact

In synth.sol, the function realise(pool) can be called using any existing pool as input. From my understanding, it's supposed that pool and synth must have the same underlying token. With the current implementation an user can call various synth contracts with the same target pool, and burn LP tokens which aren't suppose to.

Proof of Concept

https://github.com/code-423n4/2021-07-spartan/blob/main/contracts/Synth.sol#L187

Tools Used

editor

Recommended Mitigation Steps

Check if the protocol design wants the situation described above. If not, add a require(pool.TOKEN == LayerONE).

verifyfirst commented 3 years ago

This is a design choice, the synth contract holds more than one pool tokens and thus uses mappings to handle this. "require(pool.TOKEN == LayerONE)" will limit a synth to only be minted by its layerOne pool.

ghoul-sol commented 3 years ago

Per sponsor comment, invalid