search

code-423n4 / 2021-12-yetifinance-findings

0 stars 0 forks source link

Missing access restriction on StabilityPool's receiveCollateral #285

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

kenzo

Vulnerability details

StabilityPool's receiveCollateral should only be called by ActivePool, but that check is missing. Anybody can call it and update StabilityPool's total collateral variable.

Impact

Wrong amounts of total collateral in StabilityPool (totalColl). As far as I can see, this value is only used in view functions.

Proof of Concept

receiveCollateral: (notice comment and lack of caller check) (Code ref)

    // Should be called by ActivePool
    // __after__ collateral is transferred to this contract from Active Pool
    function receiveCollateral(address[] memory _tokens, uint256[] memory _amounts)
        external
        override
    {
        totalColl.amounts = _leftSumColls(totalColl, _tokens, _amounts);
        emit StabilityPoolBalancesUpdated(_tokens, _amounts);
    }

The rest of the pools do check the caller on this function.

Recommended Mitigation Steps

Add _requireCallerIsActivePool() to the function.

kingyetifinance commented 2 years ago

@LilYeti: Duplicate with #74 and should be severity level 3