search

code-423n4 / 2023-10-wildcat-findings

12 stars 9 forks source link

Lack of access control on `overrideSanction()`, any user can override sanctioned address #719

Closed c4-submissions closed 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatSanctionsSentinel.sol#L45-L51

Vulnerability details

Impact

Without proper access control, any address can call the overrideSanction function and override the sanction status of an account. This can potentially be exploited by malicious actors to bypass sanctions and carry out unauthorized actions, putting the entire protocol at risk.

The integrity of the sanction overrides data is compromised, as any user can manipulate the status, leading to unreliable and incorrect data.

Users may lose trust in the protocol due to its inability to secure important functions, which could lead to a decrease in user adoption and overall value of the protocol.

Proof of Concept

// Malicious actor's contract
contract Attack {
    address targetProtocol; // Address of the target protocol

    constructor(address _targetProtocol) {
        targetProtocol = _targetProtocol;
    }

    function exploit() public {
        // Exploit the lack of access control in the target protocol
        TargetProtocol(targetProtocol).overrideSanction(victimAccount);
    }
}

In the above proof of concept, a malicious actor deploys a contract Attack that calls the overrideSanction function on the target protocol, exploiting the lack of access control and potentially overriding sanctions on an account.

Tools Used

Vscode

Recommended Mitigation Steps

Add access control to the overrideSanction function to ensure that only authorized addresses can call this function.

Assessed type

Access Control

laurenceday commented 10 months ago

If you look at the way that the sanctionOverrides mapping is actually built, the override only actually triggers if it is the borrower that activates it for a given lender.

Third parties are welcome to spam overrideSanction until the heat death of the Universe, it changes nothing except contributing to the ultrasound money narrative by burning ETH.

c4-pre-sort commented 10 months ago

minhquanym marked the issue as low quality report

c4-judge commented 10 months ago

MarioPoneder marked the issue as unsatisfactory: Invalid