Function accrue() does not check if the caller of the function is authorized to trigger the interest accrual for the given bank
Summary
The accrue function in the provided code block has a potential security issue. Specifically, it does not check if the caller of the function is authorized to trigger the interest accrual for the given bank. This means that any external account can call this function and trigger the accrual of interest for any bank, which could potentially lead to unauthorized access to funds.
Vulnerability Detail
The accrue function in the provided code block has a potential security issue. Specifically, it does not check if the caller of the function is authorized to trigger the interest accrual for the given bank. This means that any external account can call this function and trigger the accrual of interest for any bank, which could potentially lead to unauthorized access to funds.
Impact
which could potentially lead to unauthorized access to funds.
function accrue(address token) public override {
Bank storage bank = banks[token];
if (!bank.isListed) revert Errors.BANK_NOT_LISTED(token);
ICErc20(bank.bToken).borrowBalanceCurrent(address(this));
}
Tool used
Manual Review
Recommendation
Here's an example implementation of the onlyBankOwner modifier:
modifier onlyBankOwner(address token) {
require(msg.sender == banks[token].owner, "Only bank owner can trigger interest accrual");
_;
}
You could then modify the accrue function to include this modifier:
function accrue(address token) public override onlyBankOwner(token) {
Bank storage bank = banks[token];
if (!bank.isListed) revert Errors.BANK_NOT_LISTED(token);
ICErc20(bank.bToken).borrowBalanceCurrent(address(this));
}
BugHunter101
high
Function accrue() does not check if the caller of the function is authorized to trigger the interest accrual for the given bank
Summary
The accrue function in the provided code block has a potential security issue. Specifically, it does not check if the caller of the function is authorized to trigger the interest accrual for the given bank. This means that any external account can call this function and trigger the accrual of interest for any bank, which could potentially lead to unauthorized access to funds.
Vulnerability Detail
The accrue function in the provided code block has a potential security issue. Specifically, it does not check if the caller of the function is authorized to trigger the interest accrual for the given bank. This means that any external account can call this function and trigger the accrual of interest for any bank, which could potentially lead to unauthorized access to funds.
Impact
which could potentially lead to unauthorized access to funds.
Code Snippet
https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/BlueBerryBank.sol#L306
Tool used
Manual Review
Recommendation
Here's an example implementation of the onlyBankOwner modifier:
modifier onlyBankOwner(address token) { require(msg.sender == banks[token].owner, "Only bank owner can trigger interest accrual"); _; }
You could then modify the accrue function to include this modifier:
function accrue(address token) public override onlyBankOwner(token) { Bank storage bank = banks[token]; if (!bank.isListed) revert Errors.BANK_NOT_LISTED(token); ICErc20(bank.bToken).borrowBalanceCurrent(address(this)); }