The pool can only be created by seawater_admin even though, according to the authorised_enablers documentation, the authorized enablers should be allowed not only to enable pools, but also to create new ones.
Tools Used
Manual review.
Recommended Mitigation Steps
To mitigate this, either allow authorised_enablers to create new pools or modify the comments for the authorised_enablers mapping.
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/lib.rs#L120-L121 https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/lib.rs#L999-L1011
Vulnerability details
According to the documentation, the
authorised_enablers
should be allowed to create new pools and enable them:lib.rs#L120-L121
However, the
create_pool_D650_E2_D0
function allows only the seawater admin to create new pools:lib.rs#L999-L1011
Impact
The pool can only be created by
seawater_admin
even though, according to theauthorised_enablers
documentation, the authorized enablers should be allowed not only to enable pools, but also to create new ones.Tools Used
Manual review.
Recommended Mitigation Steps
To mitigate this, either allow
authorised_enablers
to create new pools or modify the comments for theauthorised_enablers
mapping.Assessed type
Access Control