search

code-423n4 / 2024-08-superposition-validation

0 stars 0 forks source link

The `authorised_enablers` are not allowed to create new pools #221

Closed c4-bot-2 closed 1 month ago

c4-bot-2 commented 1 month ago

Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/lib.rs#L120-L121 https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/lib.rs#L999-L1011

Vulnerability details

According to the documentation, the authorised_enablers should be allowed to create new pools and enable them:

    // authorised enablers to create new pools, and enable them
    authorised_enablers: StorageMap<Address, StorageBool>,

lib.rs#L120-L121

However, the create_pool_D650_E2_D0 function allows only the seawater admin to create new pools:

    pub fn create_pool_D650_E2_D0(
        // ... other code
        assert_eq_or!(
            msg::sender(),
            self.seawater_admin.get(),
            Error::SeawaterAdminOnly
        );

lib.rs#L999-L1011

Impact

The pool can only be created by seawater_admin even though, according to the authorised_enablers documentation, the authorized enablers should be allowed not only to enable pools, but also to create new ones.

Tools Used

Manual review.

Recommended Mitigation Steps

To mitigate this, either allow authorised_enablers to create new pools or modify the comments for the authorised_enablers mapping.

Assessed type

Access Control