0xd4n1el
commented
3 months ago This poses a security risk in case of malicious owner, since disallowedTokens can be withdrawn by owner
Closed howlbot-integration[bot] closed 3 months ago
0xd4n1el
commented
3 months ago This poses a security risk in case of malicious owner, since disallowedTokens can be withdrawn by owner
c4-judge
commented
3 months ago koolexcrypto marked the issue as duplicate of #98
c4-judge
commented
3 months ago koolexcrypto marked the issue as duplicate of #90
c4-judge
commented
3 months ago koolexcrypto marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L360-L366
Vulnerability details
Impact
The smart contract has a method to allow tokens to be supported by the platform but lacks a function to dis-allow the supported/allowed tokens which can brick the system if underlying tokens has to be changed or they get hacked or some public vulnerability is disclosed in those tokens.
Proof of Concept
Tokens ,at the very lean explanation , are just balances in the mappings of smart contracts . Till date , billions of dollars has been stolen from smart contracts due to the vulnerable nature of human creation.
Multiple tokens are hacked due the vulnerabilities that have been exploited in them.
For example one of them was a token that allowed double spending in the transfer function where the
to&fromaddress was the same and it used cached balances to update the state variables.rekt.news is a great source to look for such type of hacks.
Now coming back , if a bug like that or even worse is reported in one of the allowed tokens or due to any reason the protocol wants to remove some tokens from the allowlist , there is no function to dis-allow the tokens,
Which might leave the system in an undersired state for the long run.
Tools Used
Manual review
Recommended Mitigation Steps
Modify the
allowTokenfunction to a toggler like followingAssessed type
Other