Open code423n4 opened 2 years ago
Acknowledged, we were aware of this matches the behavior of actual compound when deployed with CErc20Immutable. We originally thought we would stick with this functionality, but have now opted for enabling admin transitions.
Lines of code
https://github.com/code-423n4/2022-04-dualityfocus/blob/main/contracts/compound_rari_fork/CToken.sol#L1379
Vulnerability details
Impact
The implementation of
CToken
in Duality introduced an_acceptAdmin
function, which presumably should allow changing theadmin
. However, there does not exist a pairingproposePendingAdmin
function that can propose a newpendingAdmin
, thuspendingAdmin
will never be set. This renders the_acceptAdmin
function useless.Proof of Concept
_acceptAdmin
requiresmsg.sender
to equalpendingAdmin
, however, sincependingAdmin
can never be set, it will always beaddress(0)
, making this function unusable.Tools Used
vim, ganache-cli
Recommended Mitigation Steps
Add a
proposePendingAdmin
function where the current admin can propose successors.