search

code-423n4 / 2024-05-loop-findings

4 stars 4 forks source link

Missing Token Removal Functionality #84

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L364-L366

Vulnerability details

Impact

The lack of token removal functionality undermines the contract's security and flexibility. It could lead to situations where unauthorized tokens remain permitted

Proof of Concept

The contract lacks a function to remove or disallow tokens once they have been added using the allowToken function. This omission poses a potential security risk as there is no mechanism to revoke permission for tokens that are no longer desired or trusted.

function allowToken(address _token) external onlyAuthorized {
        isTokenAllowed[_token] = true;
    }

Tools Used

Manual code review

Recommended Mitigation Steps

Add disallowToken function

function disallowToken(address _token) external onlyAuthorized {
    isTokenAllowed[_token] = false;
}

Assessed type

Context

0xd4n1el commented 4 months ago

This poses a security risk in case of malicious owner, since disallowedTokens can be withdrawn by owner

c4-judge commented 3 months ago

koolexcrypto marked the issue as duplicate of #90

c4-judge commented 3 months ago

koolexcrypto marked the issue as unsatisfactory: Invalid