search

code-423n4 / 2024-02-tapioca-findings

1 stars 1 forks source link

brokerClaim can be called by anyone and used to mint oTAP and aoTAP #32

Closed c4-bot-4 closed 5 months ago

c4-bot-4 commented 6 months ago

Lines of code

https://github.com/Tapioca-DAO/tap-token//blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/options/oTAP.sol#L107-L110 https://github.com/Tapioca-DAO/tap-token//blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/option-airdrop/aoTAP.sol#L117-L120

Vulnerability details

Impact

The brokerClaim function of oTAP and aoTAP can be called by anyone and become the broker, and the broker can mint oTAP and aoTAP at will. Although the deployer can manually call them when deploying the contract, this is not a good practice

    function brokerClaim() external {
        if (broker != address(0)) revert OnlyOnce();
        broker = msg.sender;
    }

Proof of Concept

https://github.com/Tapioca-DAO/tap-token//blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/options/oTAP.sol#L107-L110 https://github.com/Tapioca-DAO/tap-token//blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/option-airdrop/aoTAP.sol#L117-L120

Tools Used

None

Recommended Mitigation Steps

It is recommended to set the broker in the constructor of oTAP and aoTAP

Assessed type

Context

c4-judge commented 6 months ago

dmvt marked the issue as primary issue

c4-sponsor commented 6 months ago

0xRektora (sponsor) acknowledged

c4-sponsor commented 6 months ago

0xRektora marked the issue as disagree with severity

0xRektora commented 6 months ago

Informational. This was made purposefully. Deployment/setup are done in the same Tx.

c4-judge commented 6 months ago

dmvt changed the severity to QA (Quality Assurance)

c4-judge commented 6 months ago

dmvt marked the issue as grade-b