search

code-423n4 / 2024-01-curves-findings

1 stars 0 forks source link

"setCurves" function in the FeeSplitter contract lacks an authentication check, limiting who can modify the curve implementation reference. #155

Closed c4-bot-1 closed 9 months ago

c4-bot-1 commented 9 months ago

Lines of code

https://github.com/code-423n4/2024-01-curves/blob/main/contracts/FeeSplitter.sol#L35

Vulnerability details

Impact

The full ETH balance on FeeSplitter smart contract can be stolen.

Proof of Concept

Consider the following attack vector:

1) Attackers has any social token which has already accumulated some fee credit. 2) Attacker calls "setCurves" to set the curves smart contract to an own controlled smart contract. 3) Attacker calls "claimFees", which will call the attacker controlled smart contract in oder to query the balance. The attacker controller smart contract provides now a balance which allows to extract the entire availabe Ether balance of the FeeSplitter contract, since provided balance is used to calculate unclaimedFees.

Tools Used

Manual review.

Recommended Mitigation Steps

Consider incorporating a function modifier into the 'setCurves' function, ensuring that only authorized roles have the capability to modify the curve implementation.

Assessed type

Access Control

c4-pre-sort commented 9 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 9 months ago

raymondfam marked the issue as duplicate of #4

c4-judge commented 9 months ago

alcueca changed the severity to 2 (Med Risk)