Open c4-submissions opened 10 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #69
fatherGoose1 changed the severity to QA (Quality Assurance)
fatherGoose1 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTConfig.sol#L70-L76 https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTConfig.sol#L70-L76
Vulnerability details
Impact
The
addNewSupportedAsset
function does not validate asset addresses. This allows anyone to add malicious or invalid contracts as supported assets. These could manipulate protocol behavior or steal funds when interacted with.Proof of Concept
addNewSupportedAsset
takes an asset address as input. But does not verify that this address is a valid ERC20 token contract.This means an arbitrary address could be added as a "supported" asset, not just real tokens.
The
addNewSupportedAsset
external function which:MANAGER
role using the OpenZeppelin onlyRole modifier_addNewSupportedAsset
function to add the assetThe key issue is that
addNewSupportedAsset
does not verify that the asset address passed in is a valid ERC20 token contract. It only relies on the access control check fromonlyRole
.So any address could be passed and added as a supported asset, even if it is not an actual token contract.
addNewSupportedAsset function
This allows adding any arbitrary address as a supported asset.
An attacker could:
This test demonstrates adding a malicious contract, and it draining funds when used as a "supported" asset.
But the Likelihood of this happening
addNewSupportedAsset
(MANAGER role holder)Tools Used
Manual review
Recommended Mitigation
In
addNewSupportedAsset
, validate asset addresses are proper ERC20 contracts before adding:This prevents invalid addresses from being added.
Assessed type
Invalid Validation