Closed c4-submissions closed 1 year ago
function revertNotOperator(mapping(address account => mapping(address operator => bool enabled)) storage accountOperator, address account) internal view {
if (msg.sender == account || accountOperator[account][msg.sender]) return;
revert Errors.NotOperator(msg.sender, account);
}
GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L389-L411
Vulnerability details
Impact
Proof of Concept
The
flashloan
function takes in aStructs.FlashInfo calldata info
parameter which specifies the below variables:However there is no check within the function that checks that the
msg.sender
is thedelegateHolder
or theprincipalHolder
. This means that any user can call this function to get a free flash-loan of the underlying. This is problematic as the purpose of the vault is for the principalHolder to give delegation rights to the delegateHolder, without giving extra permissions to other users.For example:
There could be an airdrop for holders of a certain NFT during a certain block. Any user could flashloan an NFT in the vault and collect the airdrop which they are not entitled to.
Tools Used
Manual Review
Recommended Mitigation Steps
There should be an access control such as:
or
This ensures that only the delegate or principal holder has rights to flash loan
Assessed type
Access Control