Closed code423n4 closed 2 years ago
Safe creation authentication is managed by Tribe governance. This is not an issue as governance will configure the turbo launch in a desirable manner.
While I think there's legitimacy to the idea of making the creation of a safe trustless, I don't see any vulnerability here.
Lines of code
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboMaster.sol#L161
Vulnerability details
Impact
A user can't create a safe because of the
requiresAuth
modifier increateSafe()
. Neither directly through theTurboMaster
contract nor through the router.Proof of Concept
Here's the test file I used to confirm it. I had to modify the contracts a little bit to satisfy the dependencies so you can't just drop it into the codebase. But that should be fairly easy for you to replicate. The issue can also be verified by just looking at the
createSafe()
function.Both tests revert with the following msg:
UNAUTHORIZED
Tools Used
none
Recommended Mitigation Steps
remove the modifier since it's a basic user facing function.