jn-lp
commented
2 years ago IndexLogic is a logic-only contract to be used by indices via delegatecall, there isn't a need to restrict direct callers in any way
Closed code423n4 closed 2 years ago
jn-lp
commented
2 years ago IndexLogic is a logic-only contract to be used by indices via delegatecall, there isn't a need to restrict direct callers in any way
JasoonS
commented
2 years ago Agreed this isn't a vulnerability that I can see.
But upgrade security is something to take into consideration depending how upgrades happen. Here is an example: https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680 vulnerability that was caught in the wild.
Lines of code
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/IndexLogic.sol#L31
Vulnerability details
Impact
mint()inIndexLogic.solis public, which means it can be called by anyone. Since we don’t know how the system works, it could be a serious potential threat.Proof of Concept
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/IndexLogic.sol#L31
Tools Used
vim
Recommended Mitigation Steps
Need access control in
IndexLogic.sol