Closed code423n4 closed 1 year ago
Invalid. Permissionless deployDelegateFor is the intended design.
This is the business case, users should be allowed to call and deploy their own delegate (and pick an owner)
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateDeployer.sol#L69
Vulnerability details
Impact
Detailed description of the impact of this finding. There is no access control for the deployDelegateFor function, so anyone can call this function and initialize all the parameters for a project. Moreover, the caller can also transfer the owner to a possible malicious new owner in line 100.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateDeployer.sol#L69
Tools Used
Manual
Recommended Mitigation Steps
Add a modifier onlyOwner() so that only the owner of the contract can all this function. Refactor the code for ownership transfer as a two-step process: 1) proposer a new pending owner; 2) the new pending owner accepts the role.