Closed code423n4 closed 2 years ago
The auth will be configured appropriately for launch, this is a configuration concern and not an issue with the code
I appreciate the warden showing POC for the finding, however had they set up authentication properly, the system would work.
While some discussion about testing auth could be raised (I believe auth is tested in Solmate to provide a baseline guarantee), I don't think there's any vulnerability here.
The fact that the sponsor didn't test the auth through an integration test is not proof that the system will break, because if you change the test to provide auth to the router, your test would no longer revert
Marking as invalid, but I want to commend the warden for having a POC which gives some merit to their argument
Lines of code
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L114-L133 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L171 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L210 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L258 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L310 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L335
Vulnerability details
Impact
The TurboRouter is not able to interact with an existing TurboSafe because of the authentication modifier of the respective TurboSafe functions. Because of that, those router functions are unusable.
Proof of Concept
Here's the test file I used to confirm it. I had to modify the contracts a little bit to satisfy the dependencies so you can't just drop it into the codebase. But that should be fairly easy for you to replicate.
The test reverts with the following msg:
UNAUTHORIZED
Tools Used
none
Recommended Mitigation Steps
Incoming calls from the Router shouldn't be authenticated again since they already are by the Router: https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboRouter.sol#L38
It already checks whether the caller owns the safe. If they do there shouldn't be a reason to block their access. So the authentication modifier of the TurboSafe functions should whitelist the router.