Open code423n4 opened 1 year ago
Due to a miscomunication 4nalyz3r wasn't run, hence Admin Privilege Reports should be in-scope per the rules.
Per the rules I also have to ask for a certain degree of proof and submission quality in order to award higher severity
Due to this, am electing to downgrade to QA, for lack of specific attacks being demonstrated
L
GalloDaSballo changed the severity to QA (Quality Assurance)
m19 marked the issue as sponsor disputed
We dispute the validity of this: the mcag-contracts are per definition centralized since they present real-world assets and thus require a centralized entity to issue those.
For the kuma-protocol contracts all the relevant roles will be granted to the KUMA DAO and the protocol cannot function if there are no ways to adjust the configuration. I don't see any way for the KUMA DAO to "drain funds" either even if the DAO was malicious.
GalloDaSballo marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/kuma-protocol/KUMASwap.sol#L57 https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/kuma-protocol/KIBToken.sol#L42 https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/mcag-contracts/KUMABondToken.sol#L26 https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/mcag-contracts/MCAGAggregator.sol#L21 https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/mcag-contracts/KYCToken.sol#L24 https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/kuma-protocol/KUMAFeeCollector.sol#L25 https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/kuma-protocol/KUMAAddressProvider.sol#L32 https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/mcag-contracts/Blacklist.sol#L17 https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/kuma-protocol/MCAGRateFeed.sol#L21
Vulnerability details
Impact
Contracts have owners with privileged rights to perform admin tasks and need to be trusted to not perform malicious updates or drain funds.
Proof of Concept
Instances (47):
Tools Used
https://github.com/Picodes/4naly3er