quantizations
commented
2 years ago Duplicate of #16
Open code423n4 opened 2 years ago
quantizations
commented
2 years ago Duplicate of #16
alcueca
commented
2 years ago Downgraded to QA, with a QA report score of 7.
JeeberC4
commented
2 years ago Preserving original title as warden had not submitted QA Report: External call to user provided address with arbitrary data supplied
Lines of code
https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/utils/OperateProxy.sol#L10
Vulnerability details
Impact
In OperateProxy.sol, callFunction() allows anyone to make an external call to a user supplied address with arbitrary data also supplied by the caller. Since OperateProxy.sol is used in Controller.sol this can be used to steal any tokens that may be held in the Controller.
Proof of Concept
https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/utils/OperateProxy.sol#L10
Tools Used
Manual code review
Recommended Mitigation Steps
The callFunction() should be guarded and only callable by an admin or privileged contract.