c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor acknowledged
Closed code423n4 closed 1 year ago
c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor acknowledged
c4-judge
commented
1 year ago dmvt marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/VaultController.sol#L605
Vulnerability details
Impact
The owner can pause any user's vault and withdraw all the funds from the underlying protocol.
Proof of Concept
1.) The function here https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/VaultController.sol#L605 pauses the user's vault and withdraw all the funds from the underlying protocol.
2.) The condition at
https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/VaultController.sol#L608says caller can be owner OR the creator of the vault , while it should be just the creator as it would be a centralisation risk to let the owner pause the creator's vault.3.) There can be an explanation that this was because if the user failed to call and due to monitoring reasons , but for those conditions we can introduce a functionality where the user/creator can grant access to the owner to call the function.
The same goes for pause vaults too , here https://github.com/code-423n4/2023-01-popcorn//blob/main/src/vault/VaultController.sol#L605
Tools Used
Manual analysis
Recommended Mitigation Steps
Use mitigation discussed above .