search

code-423n4 / 2022-02-anchor-findings

0 stars 0 forks source link

Missing Access Control for FabricateMIRClaim and FabricateANCClaim #58

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-bAsset-contracts/contracts/anchor_airdrop_registry/src/contract.rs#L109 https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-bAsset-contracts/contracts/anchor_airdrop_registry/src/contract.rs#L71

Vulnerability details

Impact

FabricateMIRClaim and FabricateANCClaim should only be issued by the Hub contract (the central hub for all minted bLuna managed by Lido). However, execute_fabricate_anchor_claim and execute_fabricate_mir_claim do not restrict the caller, allowing anyone to submit these msgs.

Recommended Mitigation Steps

Recommended to add at least simple access control checks in the contract to ensure that these functions can only be called by the Hub and not by others.

See a below for a potential code snippet.

// only hub contract can send this message.
let config = read_config(deps.storage)?;
let sender_raw = deps.api.addr_canonicalize(&info.sender.to_string())?;
if sender_raw != config.hub_contract {
    return Err(StdError::generic_err("unauthorized"));
}
GalloDaSballo commented 2 years ago

The finding is correct in that anyone can call the function

The finding lacks any form of impact as to what would happen.

I think these may be test functions also

Not convinced the report makes sense for high severity given the lack of detail