search

code-423n4 / 2022-12-prepo-findings

0 stars 1 forks source link

CWE-767 Access to Critical Private Variable via Public Method #251

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/packages/prepo-shared-contracts/contracts/AccountListCaller.sol#L8

Vulnerability details

Impact

Attack on AccountListCaller is able to call private account list address from internal IAccountList.

Proof of Concept

PoC screen dump

https://github.com/gbadebosmith/ouch/blob/main/Attack%20on%20AccountListCaller%20able%20to%20call%20account%20list%20address%20from%20internal%20IAccountList%202022-12-11%20171458.jpeg

PoC solidity attack file

https://github.com/gbadebosmith/ouch/blob/main/AttackAccountListCaller.sol

Victim solidity file

https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/packages/prepo-shared-contracts/contracts/AccountListCaller.sol#:~:text=IAccountList%20internal%20_accountList%3B

Tools Used

Remix IDE local

Picodes commented 1 year ago

I don't understand the issue

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Invalid