Oighty
commented
1 year ago Duplicate of #14
Closed sherlock-admin closed 1 year ago
Oighty
commented
1 year ago Duplicate of #14
hrishibhat
commented
1 year ago Sponsor comment from #14 :
We acknowledge this can happen, but it is preferable to alternatives we have analyzed. In general, this is only expected to be used in rare situations and generally when a callback is not being used, which is why we didn't change it after the previous audit.
UsmannK
commented
1 year ago Escalate for 10 USDC
This is identical to issue 41 in the previous Bond protocol audit: https://github.com/sherlock-audit/2022-11-bond-judging/issues/41. The issue is unfixed. Same protocol / feature / issue.
Last time the sponsor also stated it would not be fixed, but the issue was awarded. So, same sponsor response this time as well.
For consistent judging, this issue should be rewarded this time as well.
sherlock-admin
commented
1 year ago Escalate for 10 USDC
This is identical to issue 41 in the previous Bond protocol audit: https://github.com/sherlock-audit/2022-11-bond-judging/issues/41. The issue is unfixed. Same protocol / feature / issue.
Last time the sponsor also stated it would not be fixed, but the issue was awarded. So, same sponsor response this time as well.
For consistent judging, this issue should be rewarded this time as well.
You've created a valid escalation for 10 USDC!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
hrishibhat
commented
1 year ago Escalation rejected
Issue acknowledged and intentionally not fixed in the previous contest cannot be rewarded in further contests. Awarding a known issue that is commented on as acceptable risk/design risk by the protocol is not a valid issue.
sherlock-admin
commented
1 year ago Escalation rejected
Issue acknowledged and intentionally not fixed in the previous contest cannot be rewarded in further contests. Awarding a known issue that is commented on as acceptable risk/design risk by the protocol is not a valid issue.
This issue's escalations have been rejected!
Watsons who escalated this issue will have their escalation amount deducted from their next payout.
usmannk
medium
Transferring ownership might break the market
Summary
This is identical to issue 41 in the previous Bond protocol audit: https://github.com/sherlock-audit/2022-11-bond-judging/issues/41. The issue is unfixed.
When a bond is purchased in a market with a specified callback, it is checked that the market owner is a valid callback address. If the owner of a market is changed to a new owner who is not a valid callback address, it will cause an unexpected denial of service to bond purchasers.
Vulnerability Detail
The
callbackAuthorizedmapping is checked on bond purchase. Specifically, the market owner is checked against this mapping. Changing the owner to an unauthorized new owner will cause the bond purchase operation to silently fail.https://github.com/sherlock-audit/2023-02-bond/blob/main/bonds/src/bases/BondBaseFPA.sol#L272-L273
Impact
Unexpected denial of service to bond markets. It is not easily recoverable as the new owner is not able to authorize themselves.
Code Snippet
Tool used
Manual Review
Recommendation
For markets with callbacks, verify the authorization of the new owner when ownership is changed.