Anyone can call replenishReserves(...) (token version) to repay borrowed reserves with reserves

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchPort.sol#L167

Vulnerability details

Impact

The replenishReserves(token, ...) can be called by anyone.

Proof of Concept

The NATSPEC comment in the IBranchPort states the replenishReserves(token, ...) can only be called by the port strategy itself as shown below

    /**
     * @notice allow approved address to repay borrowed reserves with reserves
     *     @param _amount uint
     *     @param _token address
     *     @dev must be called by the port strategy itself
     */
    function replenishReserves(address _token, uint256 _amount) external;

but in the implementation, there is no access control in place to ensure that only the port strategy can call it.

Tools Used

Manual review.

Recommended Mitigation Steps

Consider adding a modifier to ensure only strategy can call the function.

Assessed type

Access Control

[c4-pre-sort]

0xA5DF marked the issue as primary issue

[c4-pre-sort]

0xA5DF marked the issue as sufficient quality report

[0xA5DF]

Leaving open for sponsor to comment

[0xA5DF]

Notice #761 talks about front running due to this, but the root of the issue seems to be the same

[c4-sponsor]

0xBugsy (sponsor) disputed

[0xBugsy]

There is no issue here. It is intended that the strategy can repay its own debt. We check such debt exists here: https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchPort.sol#L168C1-L168C1

[c4-judge]

alcueca marked the issue as unsatisfactory: Invalid

[c4-judge]

alcueca marked the issue as unsatisfactory: Invalid