Closed c4-bot-8 closed 7 months ago
This is intended. Repaying a trove's debt cannot worsen the trove's health, and hence it is impossible for the trove owner to lose out since he is essentially getting a donation.
bytes032 marked the issue as insufficient quality report
The Warden specifies how debt repayment should solely be open to the owner of the debt themselves.
As the Sponsor denotes, there is no negative side-effect of this; whether the debt is repaid at a "bad" time or not a non-zero debt repayment results in a net positive for the indebted.
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/abbot.cairo#L222
Vulnerability details
Impact
Allowing anyone to call the melt() function on a trove can be dangerous. The major impact is that it allows an unauthorized party to repay the debt (by destroying Yin) of a user's trove, potentially without the user's consent or knowledge. The severity of this issue is high because it can lead to the following consequences:
Proof of Concept
The melt() function in the Abbot contract allows anyone to repay a user's debt. Here is a more detailed explanation: The melt() function is defined as:
The key thing to note is that there is no check that the caller is the trove owner. get_caller_address() simply returns whoever called the function. This means anyone can call melt() and repay debt in any trove by passing in the trove_id.
Tools Used
Manual
Recommended Mitigation Steps
melt() should check that
get_caller_address() == self.trove_owner.read(troveId)
, ensuring only a trove's owner can repay its debtAssessed type
Other