search

code-423n4 / 2024-07-reserve-validation

0 stars 0 forks source link

The deploy function lacks access control modifiers in the deployer contract #97

Closed c4-bot-2 closed 1 month ago

c4-bot-2 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/Deployer.sol#L107-L114

Vulnerability details

Impact

Detailed description of the impact of this finding.

The deploy function is marked as external but lacks any access control modifiers.

This means that any address can call this function, potentially leading to unauthorised deployments.

A malicious user could deploy unauthorised versions of the system or cause Denial of Service (DoS) attacks by flooding the network with unnecessary deployments.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

The vulnerable code:

    function deploy(
        string memory name,
        string memory symbol,
        string calldata mandate,
        address owner,
        DeploymentParams memory params
    ) external returns (address) {
        require(owner != address(0) && owner != address(this), "invalid owner");

Any address can call the deploy function and create a new instance of the RToken system, even if it’s not intended.

This could lead to unauthorised or malicious deployments, which might be used to exploit other parts of the system or simply waste resources.

Use Case of Similar Issue:

https://blaize.tech/article-type/analysis/defi-hacks-in-2022-causes-cases-cautionary-tales/#6

A relevant example where a DeFi company was exploited due to a similar vulnerability is the Acala Network hack in August 2022. 

In this case, a misconfiguration in a recently deployed liquidity pool allowed attackers to exploit the protocol and mint 1.28 billion aUSD tokens without authorization. 

This incident underscores the risks associated with deployment functions lacking proper access controls, leading to unauthorized actions that can destabilize a DeFi platform.

Tools Used

Manual review.

Recommended Mitigation Steps

Implement access control by restricting who can call the deploy function.

For example, you can use OpenZeppelin’s Ownable or AccessControl libraries to restrict access to this function.

import "@openzeppelin/contracts/access/Ownable.sol";

contract DeployerP1 is IDeployer, Versioned, ReentrancyGuard, Ownable {
    ...

    function deploy(
        string memory name,
        string memory symbol,
        string calldata mandate,
        address owner,
        DeploymentParams memory params
    ) external nonReentrant onlyOwner returns (address) {
        ...
    }
}

Assessed type

Access Control

c4-bot-9 commented 1 month ago

Withdrawn by debo