code423n4 commented 3 years ago

Handle

0xsanson

Vulnerability details

Impact

In MarketPlace.sol, admin can change the swivel address at any time.

A malicious admin can abuse this by setting swivel to his personal address. Then they can call some functions (like p2pZcTokenExchange and p2pVaultExchange) to steal zc-tokens and n-tokens from users. By redeeming these, they can steal all funds from the protocol.

Proof of Concept

https://github.com/Swivel-Finance/gost/blob/v2/test/marketplace/MarketPlace.sol#L42

Tools Used

editor

Recommended Mitigation Steps

Consider adding a timelock on setSwivelAddress or directly on admin. Alternatively add a require(swivel == address(0)) so it can be called only the first time.

JTraversa commented 3 years ago

I need to check whether this is a duplicate. Will remove once reviewing tomorrow.

I'd also lower this to low severity as one of a number of admin functionality restrictions.

0xean commented 3 years ago

Downgraded to Risk 2 along with its duplicates based on assets not at direct risk

code-423n4 / 2021-09-swivel-findings