c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor disputed
Closed code423n4 closed 1 year ago
c4-sponsor
commented
1 year ago RedVeil marked the issue as sponsor disputed
c4-judge
commented
1 year ago dmvt marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-01-popcorn/blob/36477d96788791ff07a1ba40d0c726fb39bf05ec/src/vault/DeploymentController.sol#L55-L57 https://github.com/code-423n4/2023-01-popcorn/blob/36477d96788791ff07a1ba40d0c726fb39bf05ec/src/vault/TemplateRegistry.sol#L52-L59
Vulnerability details
Impact
Anyone can add templates to an existing category in TemplateRegistry.
This not only means that the registry can be flooded with templates, but also that depending on how the templates are added and endorsed there may be some frontrunning between addTemplate and toggleTemplateEndorsement if they're sent in separate transactions that may allow an attacker to get his template endorsed.
Proof of Concept
TemplateRegistry's addTemplate function has the onlyOwner role, but the owning DeploymentController's addTemplate function does not have any role required therefore bypassing the templateRegistry's.
Tools Used
n/a
Recommended Mitigation Steps
Add onlyOwner to DeploymentController's addTemplate function.