The transferFrom function of vToken.sol can be done without any user permissions or strict security checks, requires only the caller must has ORDERER_ROLE as the access control, exposing it to the centralize risk if an orderer is compromised or act maliciously.
jn-lp
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-phuture/blob/594459d0865fb6603ba388b53f3f01648f5bb6fb/contracts/vToken.sol#L81
Vulnerability details
Impact
The
transferFromfunction ofvToken.solcan be done without any user permissions or strict security checks, requires only the caller must hasORDERER_ROLEas the access control, exposing it to the centralize risk if an orderer is compromised or act maliciously.Proof of Concept
transferFromforward the call to _transfer() which just also forward the call to NAV.transfer()Tools Used
None
Recommended Mitigation Steps