code-423n4 / 2024-05-munchables-validation

0 stars 0 forks source link

attacker can increase the unlocktime of any user without needing permission #603

Open c4-bot-6 opened 6 months ago

c4-bot-6 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L383 https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L290

Vulnerability details

Impact

Attacker can constantly keep increasing the unlocktime of any user without needing permission, prevent any user they wish from unlocking

Proof of Concept

The lockOnBehalf() function allows anyone to lock on behalf of any user:

function lockOnBehalf(
        address _tokenContract,
        uint256 _quantity,
        address _onBehalfOf
    )
        external
        payable
        notPaused
        onlyActiveToken(_tokenContract)
        onlyConfiguredToken(_tokenContract)
        nonReentrant
    {
        address tokenOwner = msg.sender;
        address lockRecipient = msg.sender;
        if (_onBehalfOf != address(0)) {
  @>        lockRecipient = _onBehalfOf;
        }

        _lock(_tokenContract, _quantity, tokenOwner, lockRecipient);
    }

note that there is no minimum amount required to call this function, meaning it can be calling with 1wei. Also note that there is no permission required to call the function for any user. The issue here is that on end of the _lock() function it updated the recipients unlockTime:

        lockedToken.unlockTime =
            uint32(block.timestamp) +
            uint32(_lockDuration);

This allows attackers the ability to keep increasing the unlocktime of any user without needing permission, prevent any user they wish from unlocking.

Tools Used

Manual Review

Recommended Mitigation Steps

Allow users to grant permission on who can lock onbehalf of them

Assessed type

Access Control