c4-pre-sort
commented
1 year ago 0xSorryNotSorry marked the issue as primary issue
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago 0xSorryNotSorry marked the issue as primary issue
c4-sponsor
commented
1 year ago deanamiel marked the issue as sponsor disputed
deanamiel
commented
1 year ago This is a misunderstanding, the modifier will revert only if the caller is neither the mint limiter nor the governance address. This is the intended behavior.
c4-judge
commented
1 year ago berndartmueller marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/cgp/AxelarGateway.sol#L85-L90
Vulnerability details
Impact
Detailed description of the impact of this finding. Addresses that are mintlimiter but not governance will revert thus being able not to call some functions as intended.
Proof of Concept
In the comment it was stated that it is either mint limiter or governance but the code executes "and" /*
@dev Reverts with an error if the sender is not the mint limiter or governance. */ modifier onlyMintLimiter() { if (msg.sender != getAddress(KEY_MINT_LIMITER) && msg.sender != getAddress(KEY_GOVERNANCE)) revert NotMintLimiter();
} This will affect those function that carry the onlyMintLimiter function being basically only accessible only the governance address only, since its not accessible to mint limiter addresses that are not governance addresses
Tools Used
Manual review
Recommended Mitigation Steps
Change the "and" operator to "OR"
Assessed type
DoS