The cacheComponents function in the DistributorP1 contract is designed to update critical contract references after an upgrade. However, it lacks access control, potentially allowing unauthorized parties to manipulate the contract's state.
The function cacheComponents is declared as public, meaning any external actor can call it. This function updates critical contract references, including:
RSR and RToken addresses
Furnace and StRSR contract addresses
RToken and RSR trader addresses
These references are crucial for the correct functioning of the Distributor, particularly in the distribute function.
An attacker could potentially call this function at any time, forcing the contract to update its component references. If the main contract is compromised or updated incorrectly, this could lead to:
Redirection of funds to malicious contracts
Disruption of the distribution mechanism
Potential freezing of funds or functionality
Scenario
An attacker identifies this vulnerability.
They wait for a moment when the main contract is being updated or is briefly in an inconsistent state.
The attacker calls cacheComponents, potentially updating the Distributor with incorrect addresses.
Subsequent calls to distribute could send funds to attacker-controlled addresses.
Fix
Implement proper access control on the cacheComponents function. Here's a suggested fix:
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/Distributor.sol#L270
Vulnerability details
Vulnerability Details
The
cacheComponents
function in the DistributorP1 contract is designed to update critical contract references after an upgrade. However, it lacks access control, potentially allowing unauthorized parties to manipulate the contract's state.The function
cacheComponents
is declared aspublic
, meaning any external actor can call it. This function updates critical contract references, including:These references are crucial for the correct functioning of the Distributor, particularly in the
distribute
function.Code Snippet
Impact
An attacker could potentially call this function at any time, forcing the contract to update its component references. If the
main
contract is compromised or updated incorrectly, this could lead to:Scenario
main
contract is being updated or is briefly in an inconsistent state.cacheComponents
, potentially updating the Distributor with incorrect addresses.distribute
could send funds to attacker-controlled addresses.Fix
Implement proper access control on the
cacheComponents
function. Here's a suggested fix:Assessed type
Access Control