search

code-423n4 / 2022-12-forgeries-findings

0 stars 0 forks source link

Unprotected contract #312

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDrawFactory.sol#L38

Vulnerability details

Impact

Anyone can call makeNewDraw and become admin.

src/VRFNFTRandomDrawFactory.sol

function makeNewDraw(IVRFNFTRandomDraw.Settings memory settings)
        external
        returns (address)
    {
        address admin = msg.sender;
        // Clone the contract
        address newDrawing = ClonesUpgradeable.clone(implementation);
        // Setup the new drawing
        IVRFNFTRandomDraw(newDrawing).initialize(admin, settings);
        // Emit event for indexing
        emit SetupNewDrawing(admin, newDrawing);
        // Return address for integration or testing
        return newDrawing;
    }

Recommended Mitigation Steps

Protect access to all sensitive information.

hansfriese commented 1 year ago

Not anyone. Only the NFT owner can make a new draw because the NFT ownership is checked on initialization. And I believe it's the intended business logic to allow anyone to be able to create a raffle as long as he owns NFT.

c4-judge commented 1 year ago

gzeon-c4 marked the issue as unsatisfactory: Invalid