sherlock-admin2
commented
9 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Closed sherlock-admin closed 9 months ago
sherlock-admin2
commented
9 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
nevillehuang
commented
9 months ago Invalid, caller represented by msg.sender is used to assign relevant permissions for asset managers within isAssetManager, so this call is not lacking "access control"
iberry
high
The setAssetManager function in AccountV1 contract can be called by anyone
Summary
The setAssetManager function in AccountV1 has no access control allowing users to set assetManager
Vulnerability Detail
The setAssetManager function in the AccountV1 contract lacks access control, allowing any user to set a assetManager without restriction. This allows attackers to bypass checks in the onlyAssetManager modifier, potentially causing unauthorized transfer of assets in flashAction function.
Impact
This allows attackers to bypass checks in the flashAction function, potentially causing unauthorized transfer of assets.
Code Snippet
https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/src/accounts/AccountV1.sol#L601-L603
https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/src/accounts/AccountV1.sol#L96-L100
https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/src/accounts/AccountV1.sol#L623-L626
Tool used
Manual Review
Recommendation
Use access control right to check function