Description:Description\
The MockTEERollup contract currently allows any user to call the setWitness function, which sets the public keys of witnesses. This poses a security risk as unauthorized users can modify the list of witnesses, potentially compromising the integrity of the contract's operations.
Attack Scenario\
Describe how the vulnerability can be exploited.
Attachments
Proof of Concept (PoC) File
current implementation,here anyone can call this function and manipulate the keys
function setWitness(bytes[] calldata publicKeys) public {
TEERollup.WitnessActivation[] memory _witness = new TEERollup.WitnessActivation[](publicKeys.length);
for (uint i = 0; i < _witness.length; i++) {
_witness[i].publicKey = publicKeys[i];
_witness[i].isActive = true;
}
_setWitnessPublicKeys(_witness);
}
Revised Code File (Optional)
Import Ownable: Import the Ownable contract from OpenZeppelin.
Inherit Ownable: Make MockTEERollup inherit from Ownable.
Add onlyOwner Modifier: Use the onlyOwner modifier on the setWitness and setMinWitness functions to restrict access to the contract owner.
This ensures that only the owner of the contract can call the setWitness and setMinWitness functions.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xd169ee8dac441035a8113d7482ae5e401b3c2d365d0711620f607e34bd1e4d8d Severity: low
Description: Description\ The
MockTEERollup
contract currently allows any user to call thesetWitness
function, which sets the public keys of witnesses. This poses a security risk as unauthorized users can modify the list of witnesses, potentially compromising the integrity of the contract's operations.Attack Scenario\ Describe how the vulnerability can be exploited.
Attachments
Proof of Concept (PoC) File
current implementation,here anyone can call this function and manipulate the keys
Revised Code File (Optional)
Import Ownable: Import the Ownable contract from OpenZeppelin.
Inherit Ownable: Make MockTEERollup inherit from Ownable.
Add onlyOwner Modifier: Use the
onlyOwner
modifier on the setWitness and setMinWitness functions to restrict access to the contract owner. This ensures that only the owner of the contract can call the setWitness and setMinWitness functions.