code-423n4 / 2022-02-anchor-findings

0 stars 0 forks source link

Deployer can break bETH transfers and steal all bETH rewards #30

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-bEth-contracts/contracts/anchor_beth_reward/src/owner.rs#L18

Vulnerability details

Impact

The bETH reward contract pays out a reward_denom token to all config.token_contract holders. This config.token_contract can be changed by the owner at any time through the execute_post_initialize function.

Changing the token contract will break all bETH transfers as the token check fails on the increase/decrease_balance calls that are triggered on each transfer. It also allows the deployer to set it to their own, private token contract and earn all rewards.

It's a centralization risk on a potentially malicious/compromised owner with a big impact that can be avoided.

Recommended Mitigation Steps

Only allow setting the config.token_contract once instead.

GalloDaSballo commented 2 years ago

Looks like Admin Privilege

GalloDaSballo commented 2 years ago

Dup of #21