search

code-423n4 / 2024-02-althea-liquid-infrastructure-findings

3 stars 1 forks source link

Anyone can call withdrawFromManagedNFT() and deposit all tokens to the liquidInfrastructureERC20.sol #759

Closed c4-bot-8 closed 8 months ago

c4-bot-8 commented 9 months ago

Lines of code

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/bd6ee47162368e1999a0a5b8b17b701347cf9a7d/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L359

Vulnerability details

Impact

Detailed description of the impact of this finding. The function withdrawFromManagedNFT, is used to deposit all tokens in all the managed NFT's accounts to the liquidInfrastructureERC20.sol to control. i believe that this functionality is an important one and therefore shouldn't be made public, as anyone can call it.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

Tools Used

manual review

Recommended Mitigation Steps

Make function to be called by `onlyOwner.

Assessed type

Access Control

c4-pre-sort commented 9 months ago

0xRobocop marked the issue as insufficient quality report

0xRobocop commented 9 months ago

Poor quality

c4-sponsor commented 9 months ago

ChristianBorst (sponsor) disputed

ChristianBorst commented 9 months ago

The owner (aka manager) of the LiquidInfrastructureERC20 must call addManagedNFT() for any NFT to be considered for this process. We expect the owner to vet all the NFTs to be safe for frequent withdrawals initiated by anyone. It is public so that users who wish to pay the gas and get a revenue distribution early can do so.

c4-judge commented 8 months ago

0xA5DF marked the issue as unsatisfactory: Invalid