Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-04-dualityfocus/blob/f21ef7708c9335ee1996142e2581cb8714a525c9/contracts/compound_rari_fork/CToken.sol#L1641
It's possible by anyone to change the name and symbol of CToken.
name
symbol
CToken
The require was made in reverse condition, it checks that the sender must be different than admin in order to be able to change the name and symbol
require(msg.sender != admin, "caller not admin");
The effects that the token can be altered by a third party, can lead to loss of reliability in the project and consequently loss of investors.
Change to: require(msg.sender == admin, "caller not admin");
require(msg.sender == admin, "caller not admin");
Duplicate of #25
0xdramaone
commented
2 years ago 0xdramaone
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-dualityfocus/blob/f21ef7708c9335ee1996142e2581cb8714a525c9/contracts/compound_rari_fork/CToken.sol#L1641
Vulnerability details
Impact
It's possible by anyone to change the
nameandsymbolofCToken.Proof of Concept
The require was made in reverse condition, it checks that the sender must be different than admin in order to be able to change the
nameandsymbolrequire(msg.sender != admin, "caller not admin");The effects that the token can be altered by a third party, can lead to loss of reliability in the project and consequently loss of investors.
Recommended Mitigation Steps
Change to:
require(msg.sender == admin, "caller not admin");