Lack of Access Control On Flashloan

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L389-L411

Vulnerability details

Impact

• Anybody can get free flashloan on other users' tokens in the contract.
• Airdrops, token rights can be taken from the rightful owner.

Proof of Concept

The flashloan function takes in a Structs.FlashInfo calldata info parameter which specifies the below variables:

    struct DelegateInfo {
        address principalHolder;
        IDelegateRegistry.DelegationType tokenType;
        address delegateHolder;
        uint256 amount;
        address tokenContract;
        uint256 tokenId;
        bytes32 rights;
        uint256 expiry;
    }

However there is no check within the function that checks that the msg.sender is the delegateHolder or the principalHolder. This means that any user can call this function to get a free flash-loan of the underlying. This is problematic as the purpose of the vault is for the principalHolder to give delegation rights to the delegateHolder, without giving extra permissions to other users.

For example:

There could be an airdrop for holders of a certain NFT during a certain block. Any user could flashloan an NFT in the vault and collect the airdrop which they are not entitled to.

Tools Used

Manual Review

Recommended Mitigation Steps

There should be an access control such as:

require(info.delegateHolder) == msg.sender

or

require(info.principalHolder) == msg.sender

This ensures that only the delegate or principal holder has rights to flash loan

Assessed type

Access Control

[GalloDaSballo]

function revertNotOperator(mapping(address account => mapping(address operator => bool enabled)) storage accountOperator, address account) internal view {
    if (msg.sender == account || accountOperator[account][msg.sender]) return;
    revert Errors.NotOperator(msg.sender, account);
}

[c4-judge]

GalloDaSballo marked the issue as unsatisfactory: Invalid