PrePOMarket.sol : a sender who is not included in the account list can front run and mint prior to setting the `_mintHook`

[code423n4]

Lines of code

https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/PrePOMarket.sol#L65-L74

Vulnerability details

Impact

a sender who is not included in the account list can front run and mint prior to setting the _mintHook.

Proof of Concept

The contract says,

* Minting will only be done by the team, and thus relies on the `_mintHook`
* to enforce access controls. This is also why there is no fee for `mint()`

But, when we look at the mint function, the sender gets validated only if the _mintHook is valid at line 68.

 function mint(uint256 _amount) external override nonReentrant returns (uint256) {
require(finalLongPayout > MAX_PAYOUT, "Market ended");
require(collateral.balanceOf(msg.sender) >= _amount, "Insufficient collateral");
if (address(_mintHook) != address(0)) _mintHook.hook(msg.sender, _amount, _amount);
collateral.transferFrom(msg.sender, address(this), _amount);
longToken.mint(msg.sender, _amount);
shortToken.mint(msg.sender, _amount);
emit Mint(msg.sender, _amount);
return _amount;

}

The _mintHook is not set during the contract deployment. A separate function is used to set it.

As soon as the contract is deployed, the user can front run and call the mint function.

Tools Used

Manual review

Recommended Mitigation Steps

set the _mintHook in constructor while deploying the contract.

revert if '_mintHook' is not set.

[c4-judge]

Picodes marked the issue as duplicate of #312

[c4-judge]

Picodes marked the issue as satisfactory