search

sherlock-audit / 2023-10-aloe-judging

9 stars 6 forks source link

exolorkistis - Possible loss of funds due to access control #23

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

exolorkistis

high

Possible loss of funds due to access control

Summary

By frontrunning the function claimRewards it is possible for the rewards to be stolen

Vulnerability Detail

In the smart contract Factory.sol there is a function called claimRewards .In that function the only 2 inputs are Lender[] calldata lenders and address beneficiery. A malicious user could front run this function and get the Lender[] calldata lenders and by inputing his address as a beneficiery it is possible to steal all the rewards from all the lenders.

Impact

If frontruning attack is succesfull all the rewards are stolen.

Code Snippet

https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Factory.sol#L228-L240

Tool used

Manual Review

Recommendation

To address this vulnerability and prevent unauthorized claims, you should implement access control checks and validation mechanisms within the claimRewards function to ensure that:

  1. The sender of the transaction (msg.sender) matches the legitimate beneficiary.
  2. Only authorized users can call the function and specify the beneficiary.

By adding these checks, you can prevent front-runners from manipulating the beneficiary address and ensure that the rewards are correctly distributed to the intended recipient.

sherlock-admin2 commented 1 year ago

3 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, because claimReward claims rewards from the lenders only by msg.sender (and sends them to recepient specified). Frontrunning won't steal anything - it will just claim msg.sender's rewards (who will be different from the transaction he frontruns)

tsvetanovv commented:

Invalid. There is no way the rewards can be stolen in this way

MohammedRizwan commented:

invalid issue