search

code-423n4 / 2024-05-loop-findings

4 stars 4 forks source link

Tokens cannot be disallowed nnce allowed #85

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L364-L366

Vulnerability details

Impact

Once a token is allowed, it can never be disallowed again.

Proof of Concept

The allowToken function only sets isTokenAllowed to true for a token address. There is no way to set it back to false once allowed.

    function allowToken(address _token) external onlyAuthorized {
        isTokenAllowed[_token] = true;
    }

Tokens should be able to be allowed and disallowed as needed.

Tools Used

Recommended Mitigation Steps

Add a disallowToken function:

function disallowToken(address _token) external onlyAuthorized {
  isTokenAllowed[_token] = false; 
}

Assessed type

Context

0xd4n1el commented 4 months ago

This poses a security risk in case of malicious owner, since disallowedTokens can be withdrawn by owner

c4-judge commented 3 months ago

koolexcrypto marked the issue as duplicate of #90

c4-judge commented 3 months ago

koolexcrypto marked the issue as unsatisfactory: Invalid