search

code-423n4 / 2024-05-loop-findings

4 stars 4 forks source link

If allowed token have vulnerability been found, there is no way to remove it, which could harm the protocol #89

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L364-L366

Vulnerability details

Impact

There is no way to avoid harm from allowed token which been proved exploitable.

Proof of Concept

Owner of PrelaunchPoints have authority to add allowed token, but can't remove it if one of allowed tokens have been proved exploitable, this could harm the protocol.

    function allowToken(address _token) external onlyAuthorized {
        isTokenAllowed[_token] = true;
    }

Tools Used

Vscode

Recommended Mitigation Steps

Add a bool parameter to add/remove allowed token

-    function allowToken(address _token) external onlyAuthorized {
+    function allowToken(address _token, bool isAllowed) external onlyAuthorized {
-        isTokenAllowed[_token] = true;
+        isTokenAllowed[_token] = isAllowed;
    }

Assessed type

Access Control

0xd4n1el commented 3 months ago

This poses a security risk in case of malicious owner, since disallowedTokens can be withdrawn by owner

c4-judge commented 3 months ago

koolexcrypto marked the issue as duplicate of #90

c4-judge commented 3 months ago

koolexcrypto marked the issue as unsatisfactory: Invalid