The cacheComponents function, responsible for caching critical contract component addresses, is publicly accessible. This lack of access control allows any external entity to call this function and potentially redirect key operations to unintended or malicious contracts. This could result in unauthorized control over the contract’s core functionality, leading to severe financial and operational risks.
Impact
An attacker could exploit this vulnerability to reset component addresses to their own malicious contracts, resulting in unauthorized trading actions, misallocation of funds, and disruption of the system's operation.
Proof of concept.
// Assuming the RevenueTraderP1 contract is deployed at address 0x123...
// Attacker deploys a malicious contract that mimics one of the components
contract MaliciousDistributor {
// Malicious logic here
}
function attack(address revenueTraderAddress) public {
RevenueTraderP1 revenueTrader = RevenueTraderP1(revenueTraderAddress);
// Attacker deploys their malicious contracts
MaliciousDistributor maliciousDistributor = new MaliciousDistributor();
// Attacker invokes the unprotected cacheComponents function
revenueTrader.cacheComponents();
// In this example, let's say the attacker knows that cacheComponents updates the distributor
// They can now call revenueTrader with a fake main that returns the attacker's contracts
revenueTrader.cacheComponents();
// The attacker now controls the `distributor` logic and can manipulate revenue distribution.
}
Tools Used
Manual Review
Recommended Mitigation
Implement proper access control by applying an onlyOwner modifier or a role-based access control (RBAC) system to the cacheComponents function. This ensures that only authorized users can modify critical component addresses
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/RevenueTrader.sol#L41
Vulnerability details
Summary
The cacheComponents function, responsible for caching critical contract component addresses, is publicly accessible. This lack of access control allows any external entity to call this function and potentially redirect key operations to unintended or malicious contracts. This could result in unauthorized control over the contract’s core functionality, leading to severe financial and operational risks.
Impact
An attacker could exploit this vulnerability to reset component addresses to their own malicious contracts, resulting in unauthorized trading actions, misallocation of funds, and disruption of the system's operation.
Proof of concept.
// Assuming the RevenueTraderP1 contract is deployed at address 0x123...
// Attacker deploys a malicious contract that mimics one of the components contract MaliciousDistributor { // Malicious logic here }
function attack(address revenueTraderAddress) public { RevenueTraderP1 revenueTrader = RevenueTraderP1(revenueTraderAddress);
}
Tools Used
Manual Review
Recommended Mitigation
Implement proper access control by applying an onlyOwner modifier or a role-based access control (RBAC) system to the cacheComponents function. This ensures that only authorized users can modify critical component addresses
Assessed type
Access Control