search

code-423n4 / 2024-08-superposition-validation

0 stars 0 forks source link

Lack of Access Control on Critical Functions #168

Closed c4-bot-9 closed 1 month ago

c4-bot-9 commented 1 month ago

Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/sol/SeawaterAMM.sol#L160-L168

Vulnerability details

Vulnerability Details

Several critical functions like createPoolD650E2D0(), collectProtocol7540FA9F(), enablePool579DA658() etc. don't have any access control checks. They simply delegate the call to the admin executor contract without verifying if the caller has the appropriate permissions.

Link To Code

Impact

Any external actor could call these admin functions and potentially manipulate critical protocol parameters if the admin executor contract doesn't implement proper access controls. This could lead to unauthorized pool creation, fee collection, enabling/disabling pools etc.

Proof of Concept

    function createPoolD650E2D0(
        address /* token */,
        uint256 /* sqrtPriceX96 */,
        uint32 /* fee */,
        uint8 /* tickSpacing */,
        uint128 /* maxLiquidityPerTick */
    ) external {
        directDelegate(_getExecutorAdmin());
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Add access control checks in the SeawaterAMM contract before delegating admin calls:

modifier onlyAdmin {
    require(msg.sender == admin, "Only admin");
    _;
}

function createPoolD650E2D0(...) external onlyAdmin {
    directDelegate(_getExecutorAdmin());  
}

Assessed type

Access Control