search

code-423n4 / 2022-06-nested-findings

0 stars 1 forks source link

Functions in OperatorSripts.sol can be called by anyone #28

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-nested/blob/main/contracts/governance/scripts/OperatorScripts.sol

Vulnerability details

Impact

The functions defined in OperatorScripts contract are external functions without any other access control.

So anyone can add operators for OperatorResolver.getOpertor() which is called in MixinOperatorResolver to use in callOperator(), which is called when submitting Orders in NestedFactory

Tools Used

Manual review

Recommended Mitigation Steps

Apply necessary access control restrictions on the functions.

obatirou commented 2 years ago

Functions in OperatorSripts.sol can be called by anyone (disputed)

OperatorScripts is always called using delegatecall by the OwnerProxy. The OperatorScripts is not the NestedFactory owner.