Open c4-bot-2 opened 8 months ago
Picodes marked the issue as duplicate of #637
Picodes marked the issue as satisfactory
Picodes marked the issue as selected for report
othernet-global (sponsor) confirmed
Managed wallet has been removed:
https://github.com/othernet-global/salty-io/commit/5766592880737a5e682bb694a3a79e12926d48a5
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/ManagedWallet.sol#L59-L69
Vulnerability details
Impact
ManagedWallet.sol
states that:However, the current 30-day wait period can be bypassed.
The expected order by the protocol is:
proposeWallets()
is called bymainWallet
.confirmationWallet
sends at least 0.05 ether and causes thereceive()
function to trigger. This sets theactiveTimelock
toblock.timestamp + TIMELOCK_DURATION
i.e. 30 days into the future.proposedMainWallet
callschangeWallets()
after 30 days and the new wallet addresses are set.To bypass the 30-day limitation, the following flow can be used:
confirmationWallet
sends at least 0.05 ether and causes thereceive()
function to trigger. This sets theactiveTimelock
toblock.timestamp + TIMELOCK_DURATION
i.e. 30 days into the future.proposeWallets()
is called bymainWallet
proposedMainWallet
callschangeWallets()
Impact: Although the users believe that any changes to wallet address is going to have a timelock of 30 days as promised by the protocol, it really can be bypassed by the current admins/wallet addresses. This breaks the intended functionality implmentation.
Proof of Concept
Add the following inside
2024-01-salty/src/root_tests/ManagedWallet.t.sol
and run withCOVERAGE="yes" NETWORK="sep" forge test -vv --rpc-url https://rpc.sepolia.org/ --mt test_ManipulateActiveTimeLockBeforeProposingNewWallets
:Tools used
Foundry
Recommended Mitigation Steps
Inside
receive()
make sure an active proposal exists:Assessed type
Access Control