search

hats-finance / AlephZeroAMM-0x0d88a9ece90994ecb3ba704730819d71c139f60f

Apache License 2.0
1 stars 0 forks source link

Various functions within the protocol are private, making the protocol unusable to users #1

Open hats-bug-reporter[bot] opened 10 months ago

hats-bug-reporter[bot] commented 10 months ago

Github username: @JJtheAndroid Twitter username: -- Submission hash (on-chain): 0x91081465e697aa32950d10eebed8155d8a777306357b09f4265f0ccf6bedd47d Severity: high

Description: Various functions within the protocol are private, making the protocol unusable to users

Attack Scenario\

The protocol does not follow ink! documentation when it comes to making public and private functions. Here the documentation states that in ink!, functions are private by default. Shown here

https://use.ink/basics/contract-template

However, several critical functions in the pair contract are written as follows.

        #[ink(message)]
        fn mint(&mut self, to: AccountId) -> Result<u128, PairError> { ...

https://github.com/Cardinal-Cryptography/common-amm/blob/0a7264d707aea51b559a1bf94448681b59660f6a/amm/contracts/pair/lib.rs#L303-L304

https://github.com/Cardinal-Cryptography/common-amm/blob/0a7264d707aea51b559a1bf94448681b59660f6a/amm/contracts/pair/lib.rs#L363-L364

https://github.com/Cardinal-Cryptography/common-amm/blob/0a7264d707aea51b559a1bf94448681b59660f6a/amm/contracts/pair/lib.rs#L412-L413

The missing pub make the functions private by default and therefore inassessible to the public by default. Therefore, users will not be able to use the protocol

Attachments

  1. Proof of Concept (PoC) File

https://use.ink/basics/contract-template

  1. Revised Code File (Optional)

The functions (swap, mint, burn) should be public and written like this 

    #[ink(message)]
      pub  fn mint(&mut self, to: AccountId) -> Result<u128, PairError> { ...
JJtheAndroid commented 10 months ago

Also worth noting that the same vulnerability is mentioned in the Aleph Zero docs as well https://docs.alephzero.org/aleph-zero/build/aleph-zero-smart-contracts-basics/creating-your-first-contract.

deuszx commented 10 months ago

The lack of pub modifier doesn't make the function inaccessible to the other contracts. In ink! it's the existence of #[ink(message)] macro that controls whether the method is callable or not. One can add pub but it's not necessary.

If you tried to write a PoC file you'd find that this isn't the case - i.e. that methods with #[ink(message)] but without pub modifier are still callable/accessible from other contracts.

deuszx commented 10 months ago

Thank you for participation. After carefully reviewing the submission we've concluded that this issue is INVALID.

We hope you participate in the future audits of ink!.