code-423n4 / 2021-11-badgerzaps-findings

0 stars 0 forks source link

setGuardian() Privilage Escalation Causing Governance Lose Control of The Contract #31

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

Meta0xNull

Vulnerability details

Impact

governance = _guardian

The Guardian will become Governance of the Contract which is Not Expected. Original Governance will lose control of this contract if they call setGuardian() with Address/Key beyong their control.

Proof of Concept

https://github.com/Badger-Finance/badger-ibbtc-utility-zaps/blob/6f700995129182fec81b772f97abab9977b46026/contracts/IbbtcVaultZap.sol#L116-L119 https://github.com/Badger-Finance/badger-ibbtc-utility-zaps/blob/a5c71b72222d84b6414ca0339ed1761dc79fe56e/contracts/SettToRenIbbtcZap.sol#L130-L133

Tools Used

Manual Review

Recommended Mitigation Steps

Before: governance = _guardian;

After: guardian = _guardian;

GalloDaSballo commented 2 years ago

Agree with the finding, we fixed it before deployment

0xleastwood commented 2 years ago

duplicate of #51