[METER-LSD-03] Lack of Bucket Owner Verification in Updating Bucket Candidates
Impact
A malicious user can change the candidates of different buckets on the mainnet in bulk.
This issue allows a malicious user to steal all the Block Rewards.
Description
The meter chain provides a path through the precompile contract via ScriptEngine.sol.
Here's the code for the endpoint that sets up the candidate for the bucket.
[METER-LSD-03] Lack of Bucket Owner Verification in Updating Bucket Candidates
Impact
A malicious user can change the candidates of different buckets on the mainnet in bulk. This issue allows a malicious user to steal all the Block Rewards.
Description
The meter chain provides a path through the precompile contract via ScriptEngine.sol. Here's the code for the endpoint that sets up the candidate for the bucket.
The code should only allow the bucket's owner to modify the candidate, but there is no code to check if the transaction sender is the bucket owner.
Therefore, it was possible to modify the candidate of every existing bucket and steal all the block rewards.
Recommendations
We recommend adding code to check if the Transaction Sender is the Bucket Owner.