search

code-423n4 / 2024-05-loop-findings

4 stars 4 forks source link

LRT token can only be allowed #101

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L364

Vulnerability details

Impact

The contract only supports adding LRT Tokens and there's no way to remove tokens.

Proof of Concept

Currently, the contract only supports adding LRT Tokens, and there's no way to remove an existing token from isTokenAllowed mapping.

    function allowToken(address _token) external onlyAuthorized {
        isTokenAllowed[_token] = true;
    }

Tools Used

Manual

Recommended Mitigation Steps

Add a param _allow to specify the value.

Assessed type

Context

0xd4n1el commented 4 months ago

Disallowing tokens poses a critical risk in case of malicious owner, since it has the power to withdraw non allowed tokens. Also, there is no risk for users or for the team on allowing malicious tokens, or at least not proven in this submission.

c4-judge commented 3 months ago

koolexcrypto changed the severity to QA (Quality Assurance)

c4-judge commented 3 months ago

koolexcrypto marked the issue as grade-c