Anyone can add templates to an existing category in TemplateRegistry.
This not only means that the registry can be flooded with templates, but also that depending on how the templates are added and endorsed there may be some frontrunning between addTemplate and toggleTemplateEndorsement if they're sent in separate transactions that may allow an attacker to get his template endorsed.
Proof of Concept
TemplateRegistry's addTemplate function has the onlyOwner role, but the owning DeploymentController's addTemplate function does not have any role required therefore bypassing the templateRegistry's.
Tools Used
n/a
Recommended Mitigation Steps
Add onlyOwner to DeploymentController's addTemplate function.
Lines of code
https://github.com/code-423n4/2023-01-popcorn/blob/36477d96788791ff07a1ba40d0c726fb39bf05ec/src/vault/DeploymentController.sol#L55-L57 https://github.com/code-423n4/2023-01-popcorn/blob/36477d96788791ff07a1ba40d0c726fb39bf05ec/src/vault/TemplateRegistry.sol#L52-L59
Vulnerability details
Impact
Anyone can add templates to an existing category in TemplateRegistry.
This not only means that the registry can be flooded with templates, but also that depending on how the templates are added and endorsed there may be some frontrunning between addTemplate and toggleTemplateEndorsement if they're sent in separate transactions that may allow an attacker to get his template endorsed.
Proof of Concept
TemplateRegistry's addTemplate function has the onlyOwner role, but the owning DeploymentController's addTemplate function does not have any role required therefore bypassing the templateRegistry's.
Tools Used
n/a
Recommended Mitigation Steps
Add onlyOwner to DeploymentController's addTemplate function.