Lack of Explicit Owner Verification in Authentication Mechanism

Summary

The smart contract lacks explicit verification of the owner's identity within its authentication mechanism, which introduces a security risk. Without proper validation, unauthorized entities could potentially gain access to privileged functionalities reserved for the contract owner.

Vulnerability Detail

The vulnerability lies in the isAuthorizedfunction and the authmodifier. Here's a detailed explanation:

modifier auth() {
        if (!isAuthorized(msg.sender)) revert Unauthorized();
        _;
    }

    function isAuthorized(address src) internal view returns (bool) {
        if (src == owner) {
            return true;
        } else {
            return false;
        }
    }
}

The isAuthorized function is intended to determine whether a given address (src) is the owner of the contract by comparing it with the owner variable. However, it lacks explicit verification of the caller's identity (msg.sender). Consequently, any address that matches the current owner value could potentially bypass the authentication check.

Impact

Without proper authentication and access control, malicious actors could exploit this vulnerability to manipulate fee structures, leading to financial losses, unfair fee distributions, and disruption of protocol operations. For instance, an attacker could set arbitrary and invalid fee values beyond the acceptable boundaries defined by the GladiusReactor contract, leading to inconsistencies in fee calculations or even contract malfunction.

Code Snippet

Link

Tool used

Manual Review

Recommendation

modifier auth() {
    if (msg.sender != owner) revert Unauthorized();
    _;
}

sherlock-audit / 2024-02-rubicon-finance-judging

bigbick123456789000 - Lack of Explicit Owner Verification in Authentication Mechanism #12