Picodes
commented
1 year ago There will be multiple PrePOMarket, and the intent is that the list of PrePOMarket is in the allowedMsgSenders list. Safety checks could be added, but this would fall within QA.
c4-judge
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/RedeemHook.sol#L17 https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/PrePOMarket.sol#L96
Vulnerability details
Impact
Access control for
hookfunction inRedeemHookContract is inconsistent with the implementation. Since the function involves a transfer of fees to Treasury, I've marked it as MEDIUM RISKRedeemHookchecks if sender is in a list of pre-approved accounts in_allowedMsgSenders. Access control modifier for thehookfunction (onlyAllowedMsgSenders) allows any allowed msg sender to access this hook.However, the function wraps a
IPrePOMarketinteface onmsg.senderin line 21This ineffect means that the hook is expecting
msg.senderto bePrePOMarketaddress. However, there is no such restriction to accounts added to_allowedMsgSenders. This behavior is inconsistent with 'access permissions' and the hook will throw an error when it tries to search forcollateraladdressProof of Concept
Bob is in the list of accounts of
_allowedMsgSendersand henceonlyAllowedMsgSendersallows Bob to access theredeemHook.However, Bob's account is not a
PrePOMarket- it will not return collateral address whengetCollateralfunction is called in Line 21 & hencetransferFromfunction can never work when Bob calls this function.Tools Used
Recommended Mitigation Steps
Since
redeemHookwill only be called from within theredeemfunction ofPrePOMarket, appropriate access control is to ONLY allowPrePOMarketaddress to access theredeemHook