Detailed description of the impact of this finding.
The deploy function is marked as external but lacks any access control modifiers.
This means that any address can call this function, potentially leading to unauthorised deployments.
A malicious user could deploy unauthorised versions of the system or cause Denial of Service (DoS) attacks by flooding the network with unnecessary deployments.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Any address can call the deploy function and create a new instance of the RToken system, even if it’s not intended.
This could lead to unauthorised or malicious deployments, which might be used to exploit other parts of the system or simply waste resources.
Use Case of Similar Issue:
https://blaize.tech/article-type/analysis/defi-hacks-in-2022-causes-cases-cautionary-tales/#6
A relevant example where a DeFi company was exploited due to a similar vulnerability is the Acala Network hack in August 2022.
In this case, a misconfiguration in a recently deployed liquidity pool allowed attackers to exploit the protocol and mint 1.28 billion aUSD tokens without authorization.
This incident underscores the risks associated with deployment functions lacking proper access controls, leading to unauthorized actions that can destabilize a DeFi platform.
Tools Used
Manual review.
Recommended Mitigation Steps
Implement access control by restricting who can call the deploy function.
For example, you can use OpenZeppelin’s Ownable or AccessControl libraries to restrict access to this function.
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/Deployer.sol#L107-L114
Vulnerability details
Impact
Detailed description of the impact of this finding.
The deploy function is marked as external but lacks any access control modifiers.
This means that any address can call this function, potentially leading to unauthorised deployments.
A malicious user could deploy unauthorised versions of the system or cause Denial of Service (DoS) attacks by flooding the network with unnecessary deployments.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
The vulnerable code:
Any address can call the deploy function and create a new instance of the RToken system, even if it’s not intended.
This could lead to unauthorised or malicious deployments, which might be used to exploit other parts of the system or simply waste resources.
Use Case of Similar Issue:
Tools Used
Manual review.
Recommended Mitigation Steps
Implement access control by restricting who can call the deploy function.
For example, you can use OpenZeppelin’s Ownable or AccessControl libraries to restrict access to this function.
Assessed type
Access Control