Closed code423n4 closed 1 year ago
0xSorryNotSorry marked the issue as primary issue
All of this information is public anyway. its not an issue that somebody can read it
outdoteth marked the issue as sponsor disputed
GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePoolMetadata.sol#L17-L28 https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePoolMetadata.sol#L17-L31 https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePoolMetadata.sol#L35-L51 https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePoolMetadata.sol#L55-L93
Vulnerability details
Impact
Absence of access control for the
tokenURI
, attributes, andsvg
functions can have a significant impact on the security of the smart contract. Without any access control, any user can read the metadata for a private pool, which could reveal sensitive information such as the pool's token ID, base token, NFT, virtual base token reserves, virtual NFT reserves, fee rate, NFT balance, base token balance, and pool address. Furthermore, this could allow an attacker to manipulate the metadata, leading to unexpected behavior or even loss of funds.Proof of Concept
The
tokenURI
function generates an NFT metadata JSON string that contains anSVG
image and attributes of a private pool. The line of code that is vulnerable is the call tosvg(tokenId)
inside the metadata variable, this function generates an SVG image for the private pool based on itstokenId
. However, there is no access control implemented, so anyone can call this function and retrieve theSVG image
. The attributes function also contains sensitive information about the private pool that should only be accessed by authorized parties.https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePoolMetadata.sol#L17-L28
We can attest the contract does not implement access control, which allows anyone to call the
tokenURI()
,attributes()
, andsvg()
functions that should only be accessed by authorized parties by calling these functions from a different address than the authorized one.Code block for
tokenURI()
function:https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePoolMetadata.sol#L17-L31
Code block for
attributes()
function:https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePoolMetadata.sol#L35-L51
Code block for
svg()
function:https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePoolMetadata.sol#L55-L93
In the
PrivatePoolMetadata
contract, thetokenURI()
,attributes()
, andsvg()
functions are defined as public functions, which means that anyone can call them. However, these functions are intended to be accessed only by authorized parties. The lack of access control in these functions makes them vulnerable to exploitation.Example scenario:
ID
of123
.tokenURI()
function with thetokenId
parameter set to 123.Possible attack vectors:
tokenURI
function for a private pool that they are not authorized to see, and view sensitive information about the pool.tokenURI
function and changing the JSON-encoded attributes.Instance scenario:
tokenURI
,attributes
, andsvg
functions for Alice's private pool, but no one else should be able to.Alternatively, Eve could modify the metadata for the private pool by changing the JSON-encoded attributes. This could misrepresent the information about the pool and potentially trick Bob into making a bad trade.
Tools Used
vs code
Recommended Mitigation Steps
Consider implementing access control in the
PrivatePoolMetadata
contract to restrict access to authorized parties only such asrequire(msg.sender == owner) or require(hasRole("admin", msg.sender))
should be implemented to restrict the access of thetokenURI()
,attributes()
, andsvg()
functions to only authorized parties.