c4-pre-sort
commented
1 year ago minhquanym marked the issue as duplicate of #577
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago minhquanym marked the issue as duplicate of #577
c4-judge
commented
1 year ago dmvt marked the issue as unsatisfactory: Overinflated severity
Lines of code
https://github.com/Tapioca-DAO/tapioca-bar-audit/blob/2286f80f928f41c8bc189d0657d74ba83286c668/contracts/markets/bigBang/BigBang.sol#L101
Vulnerability details
Impact
Not adding access control to init function would allow for frontrunning and injection of malicious code
Proof of Concept
event MinDebtRateUpdated(uint256 oldVal, uint256 newVal); /// @notice event emitted when the maximum debt rate is updated event MaxDebtRateUpdated(uint256 oldVal, uint256 newVal); /// @notice event emitted when the debt rate against the main market is updated event DebtRateAgainstEthUpdated(uint256 oldVal, uint256 newVal);
constructor() MarketERC20("Tapioca BigBang") {}
/// @notice The init function that acts as a constructor // @audit-issue M-01 Use this in constuctor or add access control to avoid front running and adding malicious contracts function init(bytes calldata data) external onlyOnce { ( IPenrose tapiocaBar_, IERC20 _collateral, uint256 _collateralId, IOracle _oracle, uint256 _exchangeRatePrecision, uint256 _debtRateAgainstEth, uint256 _debtRateMin, uint256 _debtRateMax, uint256 _debtStartPoint
Tools Used
Remix, Hardhat
Recommended Mitigation Steps
Add proper access control
Assessed type
Access Control