search

code-423n4 / 2024-06-vultisig-findings

2 stars 0 forks source link

Improper `_whitelistIndex` check in the `Whitelist.checkWhitelist()` function. #21

Closed c4-bot-4 closed 5 months ago

c4-bot-4 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-06-vultisig/blob/main/hardhat-vultisig/contracts/Whitelist.sol#L204-L228

Vulnerability details

Impact

Attackers can manipulate the price of the Uniswap V3 pool before the launch, potentially leading to the reversal of the launch.

Proof of Concept

If _whitelistIndex[to] = 0, then the check at L216 will pass. This means this check does not work for unregistered addresses. As a result, attackers can manipulate the price of the Uniswap V3 pool before the launch. This could lead to the reversal of the launch, as the launch requires the price of the Uniswap V3 pool to remain unchanged.

    function checkWhitelist(address from, address to, uint256 amount) external onlyVultisig {
        if (from == _pool && to != owner()) {
            // We only add limitations for buy actions via uniswap v3 pool
            // Still need to ignore WL check if it's owner related actions
            if (_locked) {
                revert Locked();
            }

            if (_isBlacklisted[to]) {
                revert Blacklisted();
            }

216         if (_allowedWhitelistIndex == 0 || _whitelistIndex[to] > _allowedWhitelistIndex) {
                revert NotWhitelisted();
            }

            // // Calculate rough ETH amount for VULT amount
            uint256 estimatedETHAmount = IOracle(_oracle).peek(amount);
            if (_contributed[to] + estimatedETHAmount > _maxAddressCap) {
                revert MaxAddressCapOverflow();
            }

            _contributed[to] += estimatedETHAmount;
        }
    }

Tools Used

Manual review

Recommended Mitigation Steps

The _whitelistIndex check should be improved as follows.

-           if (_allowedWhitelistIndex == 0 || _whitelistIndex[to] > _allowedWhitelistIndex) {
+           if (_allowedWhitelistIndex == 0 || _whitelistIndex[to] > _allowedWhitelistIndex || !_whitelistIndex[to]) {
                revert NotWhitelisted();
            }

Assessed type

Invalid Validation

c4-judge commented 4 months ago

alex-ppg marked the issue as partial-75