Unprotected function manageTokens in RevenueTrader.sol

[c4-bot-1]

Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/RevenueTrader.sol#L109-L113

Vulnerability details

Impact

This contract is vulnerable to unauthorized access allowing attackers to perform malicious activity like draining tokens from the contract due to lack of proper access control

Proof of Concept

If an attacker calls the function manageTokens() with malicious input parameters including a token address and a trade kind, it would result in a critical compromise of the contract e.g

IERC20[] memory erc20s = [
    IERC20(tokenRevenueTokenAddress),
    IERC20(attackerTokenAddress)
];

Trade kind[] memory kinds = [
    TradeKind.BUY,
    TradeKind.SELL
];
revenueTrader.manageTokens(erc20s, kinds);

Now when you call the vulnerable functions with these malicious parameters the attacker gets to compromise the contract and drain tokens from the contract as the function will execute the token management operation without validating the attacker's authorization

Tools Used

Slither auditing tool

Recommended Mitigation Steps

To mitigate this vulnerability onlyAuthorized modifier should be used to prevent prevent unauthorized access. A require statement should also be included to check if the token management is authorized

function manageTokens(IERC20[] calldata erc20s, TradeKind[] calldata kinds) external onlyAuthorized nonReentrant notTradingPausedorFrozen {
    require(erc20s.length == kinds.length, "Invalid input lengths");
    for (uint256 I= 0; i < erc20s.length; i++) {
        require(erc20s[i].isAuthorized(msg.sender), "Unauthorized token access");
    }
    // token management code continues here
}

Assessed type

Access Control