Open code423n4 opened 1 year ago
Leaving for judge review
bytes032 marked the issue as sufficient quality report
Related to #270
bytes032 marked the issue as low quality report
GalloDaSballo changed the severity to QA (Quality Assurance)
GalloDaSballo marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L36 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L36
Vulnerability details
Impact
EIP4337 defines introduces account abstraction. Main idea is that technically account is smart contract. And here's where the problem arises: protocol must whitelist every single user's ERC4337 account to allow interaction with protocol. Otherwise users won't be able to use protocol. This approach is impractical in reality because costs too much gas.
Proof of Concept
Now it checks whether caller is whitelisted if caller is smart contract: https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/helper/ContractWhitelist.sol#L34-L39
And this check is performed on interactions with RdpxV2Core and PerpetualAtlanticVault
Tools Used
Manual Review
Recommended Mitigation Steps
Introduce
bool isWhitelistDisabled
. And don't check whitelist whenisWhitelistDisabled = true
It will allow to disable this check in case ERC4337 gains popularityAssessed type
Invalid Validation