c4-pre-sort
commented
10 months ago raymondfam marked the issue as low quality report
Closed c4-submissions closed 10 months ago
c4-pre-sort
commented
10 months ago raymondfam marked the issue as low quality report
c4-pre-sort
commented
10 months ago raymondfam marked the issue as duplicate of #249
c4-judge
commented
10 months ago alex-ppg marked the issue as not a duplicate
c4-judge
commented
10 months ago alex-ppg marked the issue as duplicate of #410
c4-judge
commented
10 months ago alex-ppg marked the issue as unsatisfactory: Invalid
c4-judge
commented
10 months ago alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/registries/WalletRegistry.sol#L35 https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/registries/WalletRegistry.sol#L49 https://github.com/code-423n4/2023-10-brahma/blob/dd0b41031b199a0aa214e50758943712f9f574a0/contracts/src/core/registries/PolicyRegistry.sol#L52
Vulnerability details
Impact
Registered wallet and sub account cannot be removed
Proof of Concept
In WalletRegistry,
the wallet can be registered by calling registerWallet
the sub account can be registered as well by calling registerSubAccount
However, once registered, the wallet or sub account can never be removed
a registered wallet or sub account can always can senstive function such as updatePolicy from PolicyRegistry.sol
even later the owner find that the registered wallet or sub account is hacked or misbehave and owner want to remove the account, he / she cannot do so
Tools Used
Manual Review
Recommended Mitigation Steps
add the function to remove registered wallet / sub account
Assessed type
Access Control