search

code-423n4 / 2022-01-yield-findings

1 stars 0 forks source link

ConvexYieldWrapper griefing attack is possible that removes all the vaults from any user #135

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

hyh

Vulnerability details

Impact

Griefing attack is possible, an attacker can can remove all vaultIds from an arbitrary account. I.e. anyone can mix up vault configuration for any user.

Proof of Concept

ConvexYieldWrapper.removeVault doesn't have access controls and allows anyone to manage vaults of an account chosen:

https://github.com/code-423n4/2022-01-yield/blob/main/contracts/ConvexYieldWrapper.sol#L71-95

ConvexModule.removeVault has the same issue:

https://github.com/code-423n4/2022-01-yield/blob/main/contracts/ConvexModule.sol#L27-33

Recommended Mitigation Steps

Consider adding a controller role that can manage user's vaults.

A version of the functionality without access controls, if needed, should operate msg.sender account only.

iamsahu commented 2 years ago

Duplicate of #4

GalloDaSballo commented 2 years ago

The vault in the wrapper are lazily tracked, as discussed in #4 the finding is invalid