It is assumed that only admin can call functions from RollupAdminLogic.sol. But anyone can call this functions, as there is no restriction modifiers in all functions, here is one example:
function setValidator(address[] calldata _validator, bool[] calldata _val) external override {
require(_validator.length > 0, "EMPTY_ARRAY");
require(_validator.length == _val.length, "WRONG_LENGTH");
for (uint256 i = 0; i < _validator.length; i++) {
isValidator[_validator[i]] = _val[i];
}
emit OwnerFunctionCalled(6);
}
The only modifiers is in functions that interact with bridge:
Lines of code
https://github.com/code-423n4/2024-05-arbitrum-foundation/blob/6f861c85b281a29f04daacfe17a2099d7dad5f8f/src/rollup/RollupAdminLogic.sol#L18-L330
Vulnerability details
Summary
Lack of access control in
RollupAdminLogic.sol
.Proof of Concept
It is assumed that only admin can call functions from
RollupAdminLogic.sol
. But anyone can call this functions, as there is no restriction modifiers in all functions, here is one example:The only modifiers is in functions that interact with bridge:
As we can see, it only checks if call was made from
RollupAdminLogic
, but it does not check if admin calls this function inRollupAdminLogic
.Impact
Anyone can call admin functions.
Tools Used
Manual review.
Recommended Mitigation Steps
Add
onlyOwner
modifier in all functions inRollupAdminLogic.sol
.Assessed type
Access Control