In OperateProxy.sol, callFunction() allows anyone to make an external call to a user supplied address with arbitrary data also supplied by the caller. Since OperateProxy.sol is used in Controller.sol this can be used to steal any tokens that may be held in the Controller.
Lines of code
https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/utils/OperateProxy.sol#L10
Vulnerability details
Impact
In OperateProxy.sol, callFunction() allows anyone to make an external call to a user supplied address with arbitrary data also supplied by the caller. Since OperateProxy.sol is used in Controller.sol this can be used to steal any tokens that may be held in the Controller.
Proof of Concept
https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/utils/OperateProxy.sol#L10
Tools Used
Manual code review
Recommended Mitigation Steps
The callFunction() should be guarded and only callable by an admin or privileged contract.