c4-pre-sort
commented
1 year ago minhquanym marked the issue as primary issue
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago minhquanym marked the issue as primary issue
minhquanym
commented
1 year ago _setData() will revert if it try to set name or symbol
https://github.com/lukso-network/lsp-smart-contracts/blob/32ad32f942888398bf99b039e98e238c3146c1b3/contracts/LSP4DigitalAssetMetadata/LSP4DigitalAssetMetadata.sol#L52C14-L52C22
c4-pre-sort
commented
1 year ago minhquanym marked the issue as low quality report
c4-sponsor
commented
1 year ago CJ42 marked the issue as sponsor disputed
c4-judge
commented
1 year ago trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/lukso-network/lsp-smart-contracts/blob/32ad32f942888398bf99b039e98e238c3146c1b3/contracts/LSP7DigitalAsset/LSP7DigitalAsset.sol#L26-L27 https://github.com/lukso-network/lsp-smart-contracts/blob/32ad32f942888398bf99b039e98e238c3146c1b3/contracts/LSP8IdentifiableDigitalAsset/LSP8IdentifiableDigitalAsset.sol#L24-L25
Vulnerability details
Impact
The owner of a contract in
LSP8IdentifiableDigitalAssetandLSP7DigitalAssetcan arbitrarily change the name and symbol of a token after its deployment. This ability is due to the inheritance of thesetData()function fromERC725YCore.solimplemented inLSP4DigitalAssetMetadata.Such functionality poses a significant risk as these attributes can potentially influence the perceived value and trust of the token in the market. A sudden or unanticipated change in these attributes, like setting them to empty strings, may lead to confusion, decreased trust, and impact the intrinsic value of the token. Therefore, it could lead to market manipulations and potential financial loss for token holders.
Proof of Concept
The issue is found in the ERC725YCore code, specifically in lines 62-68, where any data key can be overridden. This includes the name and symbol of the tokens under LSP7 and LSP8 contracts.
For direct code references, please see: ERC725YCore.sol#L62-L68
Tools Used
The code was reviewed manually without the use of specific security tools.
Recommended Mitigation Steps
It is advisable to limit the ability to modify the token's name and symbol after the contract deployment. This can be achieved by: -Setting the name and symbol attributes as immutable. Once assigned during contract deployment, these variables cannot be changed.
setData()function to disallow the modification of specific keys related to the token's name and symbol. This requires careful implementation to avoid unintentionally restricting modification of other necessary keys.In general, any function or action that can influence the token's characteristics, perceived value, or operation should have appropriate access controls to prevent misuse and maintain the token's integrity.
Assessed type
Other