c4-pre-sort
commented
1 year ago raymondfam marked the issue as low quality report
Closed c4-submissions closed 1 year ago
c4-pre-sort
commented
1 year ago raymondfam marked the issue as low quality report
c4-pre-sort
commented
1 year ago raymondfam marked the issue as primary issue
raymondfam
commented
1 year ago Insufficient proof.
c4-judge
commented
1 year ago MiloTruck marked the issue as unsatisfactory: Insufficient proof
MiloTruck
commented
1 year ago Warden has failed to point out how it would allow users to add any _safe ID to _usrSafes and _usrSafesPerCollat for themselves.
Lines of code
https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/proxies/ODSafeManager.sol#L235
Vulnerability details
Impact
Detailed description of the impact of this finding.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Tools Used
Recommended Mitigation Steps
function addSAFE(uint256 _safe) external { SAFEData memory _sData = _safeData[_safe]; _usrSafes[msg.sender].add(_safe); _usrSafesPerCollat[msg.sender][_sData.collateralType].add(_safe); }
Here in the addSAFE function, we are not using the safeAllowed modifier.
Tools Used: Manual
Recommended Mitigation Steps: use the safeAllowed modifier.
Assessed type
Access Control