search

code-423n4 / 2024-07-reserve-validation

0 stars 0 forks source link

Unrestricted Access to Critical State Update #236

Closed c4-bot-3 closed 1 month ago

c4-bot-3 commented 1 month ago

Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/Distributor.sol#L270

Vulnerability details

Vulnerability Details

The cacheComponents function in the DistributorP1 contract is designed to update critical contract references after an upgrade. However, it lacks access control, potentially allowing unauthorized parties to manipulate the contract's state.

The function cacheComponents is declared as public, meaning any external actor can call it. This function updates critical contract references, including:

These references are crucial for the correct functioning of the Distributor, particularly in the distribute function.

Code Snippet

function cacheComponents() public {
    rsr = main.rsr();
    rToken = IERC20(address(main.rToken()));
    furnace = main.furnace();
    stRSR = main.stRSR();
    rTokenTrader = address(main.rTokenTrader());
    rsrTrader = address(main.rsrTrader());
}

Impact

An attacker could potentially call this function at any time, forcing the contract to update its component references. If the main contract is compromised or updated incorrectly, this could lead to:

  1. Redirection of funds to malicious contracts
  2. Disruption of the distribution mechanism
  3. Potential freezing of funds or functionality

Scenario

  1. An attacker identifies this vulnerability.
  2. They wait for a moment when the main contract is being updated or is briefly in an inconsistent state.
  3. The attacker calls cacheComponents, potentially updating the Distributor with incorrect addresses.
  4. Subsequent calls to distribute could send funds to attacker-controlled addresses.

Fix

Implement proper access control on the cacheComponents function. Here's a suggested fix:

function cacheComponents() public onlyGovernance {
    rsr = main.rsr();
    rToken = IERC20(address(main.rToken()));
    furnace = main.furnace();
    stRSR = main.stRSR();
    rTokenTrader = address(main.rTokenTrader());
    rsrTrader = address(main.rsrTrader());
}

Assessed type

Access Control