search

code-423n4 / 2022-05-cudos-findings

1 stars 0 forks source link

Access Control Misconfiguration allows whitelisted user to add users to whitelist #136

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-cudos/blob/main/solidity/contracts/Gravity.sol#L116-L122 https://github.com/code-423n4/2022-05-cudos/blob/main/solidity/contracts/Gravity.sol#L124-L136

Vulnerability details

Impact

The function manageWhiteList() allows whitelisted users to add users to the whitelist.

Proof of Concept

  1. Admin calls manageWhiteList() and adds users to whitelist.
  2. whitelist user A is a member of the whitelist and has the ability to call manageWhiteList() to add new users to whitelist. https://github.com/code-423n4/2022-05-cudos/blob/main/solidity/contracts/Gravity.sol#L124-L136

Tools Used

Manual review

Recommended Mitigation Steps

Proper access control needs to be implemented for the manageWhiteList().

maptuhec commented 2 years ago

Duplicate of #19