Closed code423n4 closed 2 years ago
ksk2345
Impact is high; once a new guardian is set using 'setGuardian' function, the new guardian is in full control of the contract, due to this bug. The setGuardian function mistakenly sets the governance address instead of setting it to guardian.
Issue found in two contracts
1) Ref : https://github.com/Badger-Finance/badger-ibbtc-utility-zaps/blob/a5c71b72222d84b6414ca0339ed1761dc79fe56e/contracts/SettToRenIbbtcZap.sol line 130 : function setGuardian
2) Ref : https://github.com/Badger-Finance/badger-ibbtc-utility-zaps/blob/6f700995129182fec81b772f97abab9977b46026/contracts/IbbtcVaultZap.sol line 116 : function setGuardian
function setGuardian(address _guardian) external { _onlyGovernance(); governance = _guardian; }
Wrongly setting governance address which is meant to set new guardian address
Manual review
Change as below in both the contract's setGuardian function
function setGuardian(address _guardian) external { _onlyGovernance(); guardian = _guardian; }
duplicate of #51
Handle
ksk2345
Vulnerability details
Impact
Impact is high; once a new guardian is set using 'setGuardian' function, the new guardian is in full control of the contract, due to this bug. The setGuardian function mistakenly sets the governance address instead of setting it to guardian.
Proof of Concept
Issue found in two contracts
1) Ref : https://github.com/Badger-Finance/badger-ibbtc-utility-zaps/blob/a5c71b72222d84b6414ca0339ed1761dc79fe56e/contracts/SettToRenIbbtcZap.sol line 130 : function setGuardian
2) Ref : https://github.com/Badger-Finance/badger-ibbtc-utility-zaps/blob/6f700995129182fec81b772f97abab9977b46026/contracts/IbbtcVaultZap.sol line 116 : function setGuardian
Wrongly setting governance address which is meant to set new guardian address
Tools Used
Manual review
Recommended Mitigation Steps
Change as below in both the contract's setGuardian function