search

sherlock-audit / 2023-12-arcadia-judging

19 stars 15 forks source link

iberry - setApprovedCreditor function in AccountV1 contract can be called by anyone #202

Closed sherlock-admin closed 9 months ago

sherlock-admin commented 9 months ago

iberry

high

setApprovedCreditor function in AccountV1 contract can be called by anyone

Summary

The setApprovedCreditor function in AccountV1 has no access control allowing users to set creditor

Vulnerability Detail

The setApprovedCreditor function in the AccountV1 contract lacks access control, allowing any user to set a creditor without restriction. This allows attackers to bypass checks in the flashActionByCreditor function, potentially causing unauthorized transfer of assets.

Impact

This allows attackers to bypass checks in the flashActionByCreditor function, potentially causing unauthorized transfer of assets.

Code Snippet

https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/src/accounts/AccountV1.sol#L400-L402

Tool used

Manual Review

Recommendation

Use access control right to check function

sherlock-admin2 commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 9 months ago

Invalid, msg.sender is used to set appropriate creditor within approvedCreditor, so no issue here.