In the current implementation, the role of authorised_enablers has inconsistencies:
// authorised enablers to create new pools, and enable them
authorised_enablers: StorageMap<Address, StorageBool>,
Disabling Pools: While the role description of authorised_enablers suggest they are only authorized to enable pools, however they can also disable them. This dual functionality is not consistent with the intended scope of the role.
Pool Creation: The authorised_enablers are not allowed to create new pools, as this responsibility is exclusively reserved for the admin. However, the role suggests they have broader control over pool creation.
Impact
Role Confusion and Security Risks: The dual functionality of enabling and disabling pools by authorised_enablers introduces confusion about the intended roles and permissions. This can lead to unauthorized or unexpected actions.
Proof of Concept
@>> // authorised enablers to create new pools, and enable them
@>> authorised_enablers: StorageMap<Address, StorageBool>,
Creating Pools
@>> /// Creates a new pool. Only usable by the seawater admin.
@>> /// Requires the caller to be the seawater admin. Requires the pool to not exist.
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/lib.rs#L120
Vulnerability details
In the current implementation, the role of
authorised_enablers
has inconsistencies:Disabling Pools: While the role description of
authorised_enablers
suggest they are only authorized to enable pools, however they can also disable them. This dual functionality is not consistent with the intended scope of the role.Pool Creation: The
authorised_enablers
are not allowed to create new pools, as this responsibility is exclusively reserved for the admin. However, the role suggests they have broader control over pool creation.Impact
Role Confusion and Security Risks: The dual functionality of enabling and disabling pools by
authorised_enablers
introduces confusion about the intended roles and permissions. This can lead to unauthorized or unexpected actions.Proof of Concept
@>> /// Creates a new pool. Only usable by the seawater admin. @>> /// Requires the caller to be the seawater admin. Requires the pool to not exist.
[allow(non_snake_case)]
@>> self.seawater_admin.get(), Error::SeawaterAdminOnly );
Tools Used
Manual Review
Recommended Mitigation Steps
Implement functionality according to the role specification.
Assessed type
Access Control