Flawed Access Control in `notDelegatedOrIsMinimalProxy` Modifier Allows Unauthorized Function Calls

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-07-basin/blob/main/src/WellUpgradeable.sol#L22-L31

Vulnerability details

The notDelegatedOrIsMinimalProxy modifier is used to ensure that certain functions are not called through delegate calls and are only callable by certain contracts. The logic assumes that address(this) != ___self indicates a delegate call, but this may not be accurate for all minimal proxy patterns. This can lead to incorrect access control and function usage.

Impact

This could lead to unauthorized access or execution of critical functions if the modifier does not correctly identify delegate calls or minimal proxies.

Proof of Concept

1.Deploy the WellUpgradeable contract as a minimal proxy. 2.Call functions protected by the notDelegatedOrIsMinimalProxy modifier from an unexpected context. 3.The modifier may not correctly enforce the intended restrictions.

Tools Used

Manual Review

Recommended Mitigation Steps

1.Adjust the modifier to more accurately check for delegate calls and minimal proxies. 2.Use alternative mechanisms or patterns for access control to avoid reliance on potentially incorrect assumptions.

Assessed type

Access Control

[c4-judge]

alex-ppg marked the issue as unsatisfactory: Invalid