The protocol uses a claimable yield mode for claiming ETH yield. However, when rewardsManagerAddress is address(0) , setBlastGovernor can be bypass which lead to current contract being set as governor , after contract creation, only the governor can reconfigure the contract’s yield and gas mode.
Proof of Concept
if (rewardsManagerAddress != address(0)) {
setBlastGovernor(rewardsManagerAddress);
}
function setBlastGovernor(address _governor) internal {
if (_governor == address(0)) revert InvalidGovernorError();
if (address(blastContract) == address(0)) return;
if (_governorConfigured == address(0)) {
// if this contract is the governor then it should claim its own yield/gas
if (_governor != address(this)) {
// Once this is called the governor will be the only account allowed to configure
blastContract.configureGovernor(_governor);
}
} else {
IHoldsGovernorship(_governorConfigured).reassignBlastGovernor(
_governor
);
}
_governorConfigured = _governor;
}
During contract deployment, the protocol invokes __BaseBlastManager_reconfigure and then setBlastGovernor. As seen in BaseBlastManager.sol, if rewardsManagerAddress is address(0), setBlastGovernor can be bypassed. This results in the current contract being set as the default governor. However, the current contract does not implement the claimYield or claimAllYield functions.
Furthermore, after contract creation, only the governor can reconfigure the contract’s yield and gas mode. Therefore, the admin cannot reconfigure the yield and gas mode through the current contract.
Tools Used
Foundry
Recommended Mitigation Steps
add claimYield and claimAllYield functions
function claimYield(address recipient, uint256 amount) external {
//This function is public meaning anyone can claim the yield
IBlast(0x43...02).claimYield(address(this), recipient, amount);
}
function claimAllYield(address recipient) external {
//This function is public meaning anyone can claim the yield
IBlast(0x43...02).claimAllYield(address(this), recipient);
}
or ensure rewardsManagerAddress is not zero address
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L82
Vulnerability details
Impact
The protocol uses a claimable yield mode for claiming ETH yield. However, when
rewardsManagerAddressis address(0) ,setBlastGovernorcan be bypass which lead to current contract being set as governor , after contract creation, only the governor can reconfigure the contract’s yield and gas mode.Proof of Concept
During contract deployment, the protocol invokes __BaseBlastManager_reconfigure and then setBlastGovernor. As seen in BaseBlastManager.sol, if rewardsManagerAddress is address(0), setBlastGovernor can be bypassed. This results in the current contract being set as the default governor. However, the current contract does not implement the claimYield or claimAllYield functions.
Furthermore, after contract creation, only the governor can reconfigure the contract’s yield and gas mode. Therefore, the admin cannot reconfigure the yield and gas mode through the current contract.
Tools Used
Foundry
Recommended Mitigation Steps
add claimYield and claimAllYield functions
or ensure rewardsManagerAddress is not zero address
Assessed type
Other