Unauthorized Access to Critical Functions in Smart Contract

[code423n4]

Lines of code

https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/PositionManager/OptionsPositionManager.sol#L223-L241 https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/PositionManager/OptionsPositionManager.sol#L123-L150 https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/PositionManager/OptionsPositionManager.sol#L250-L328

Vulnerability details

Description

The provided smart contract contains critical functions, such as close, closeDebt, and withdrawOptionAssets, that can be called by any external address without proper authentication or authorization checks. This lack of access control exposes the contract to potential security vulnerabilities, allowing unauthorized users to perform actions on behalf of other users without their consent. As a result, the contract's functionality could be abused, leading to unauthorized management of assets and positions.

Mitigation

To address this vulnerability and ensure the security of the smart contract, implement proper access control mechanisms in the affected functions. Add checks at the beginning of each function to verify that the user parameter matches the msg.sender. This validation ensures that only the authorized user can execute these critical functions. Use the require statement to enforce this condition. Additionally, consider implementing a role-based access control (RBAC) system to provide different levels of access to various contract functions based on user roles.

Assessed type

Access Control

[141345]

invalid

close() is working as expected closeDebt() is is internal function withdrawOptionAssets() is private function

[c4-pre-sort]

141345 marked the issue as low quality report

[c4-judge]

gzeon-c4 marked the issue as unsatisfactory: Invalid