Anyone can change a CToken's name and symbol because of a wrong admin check:
This will not only be very confusing for CToken holders but also allows many phishing attacks that will lead to loss of funds.
For example, a victim holding both cWBTC and cUSDC can be talked into an OTC trade for their cUSDC, and then swap the cWBTC and cUSDC token names. Careless users might go to etherscan and trade their "cUSDC" which is actually cWBTC.
There are many other phishing attempts if the frontend pulls the names from the chain.
Recommended Mitigation Steps
Fix the check.
function _setNameAndSymbol(string calldata _name, string calldata _symbol) external {
// Check caller is admin
- require(msg.sender != admin, "caller not admin");
+ require(msg.sender == admin, "caller not admin");
// Set ERC20 name and symbol
name = _name;
symbol = _symbol;
}
0xdramaone
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-dualityfocus/blob/f21ef7708c9335ee1996142e2581cb8714a525c9/contracts/compound_rari_fork/CToken.sol#L1641
Vulnerability details
Impact
Anyone can change a
CToken's name and symbol because of a wrongadmincheck: This will not only be very confusing for CToken holders but also allows many phishing attacks that will lead to loss of funds. For example, a victim holding both cWBTC and cUSDC can be talked into an OTC trade for their cUSDC, and then swap thecWBTCandcUSDCtoken names. Careless users might go to etherscan and trade their "cUSDC" which is actually cWBTC. There are many other phishing attempts if the frontend pulls the names from the chain.Recommended Mitigation Steps
Fix the check.