Closed c4-bot-1 closed 7 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #20
HickupHH3 marked the issue as not a duplicate
merely a recommendation on privileged roles
1R
HickupHH3 changed the severity to QA (Quality Assurance)
HickupHH3 marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2024-02-ai-arena/blob/1d18d1298729e443e14fea08149c77182a65da32/src/Neuron.sol#L155-L159 https://github.com/code-423n4/2024-02-ai-arena/blob/1d18d1298729e443e14fea08149c77182a65da32/src/Neuron.sol#L56 https://github.com/code-423n4/2024-02-ai-arena/blob/1d18d1298729e443e14fea08149c77182a65da32/src/Neuron.sol#L73 https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/GameItems.sol#L147-L176
Vulnerability details
Impact
Missing access controls allowing contract owners unlimited critical operations such as token minting. The broad privilege stems from the owner role in the
Neuron
token contract: File: src/Neuron.sol/mintAnd the admin configuration: File: src/Neuron.sol#L56, File: src/Neuron.sol#L73
This enables the owner to:
Without checks and balances.
For example, unlimited minting:
Total loss of trust. Participants abandon ecosystem due to lack of fairness or integrity.
Proof of Concept
File: src/Neuron.sol
Together these allow the founder/owner to:
Without any checks or oversight. Giving a single address unrestrained control over the token supply and contract privileges is very dangerous.
Tools Used
Vscode
Recommended Mitigation Steps
Multi-sig schemes, time-locks, and reduced authority.
Adding governance constraints and applying the principle of least authority here would mitigate the issues.
Assessed type
Token-Transfer