Access control is missing in TOFTGenericReceiverModule.sol
Summary
Access control is missing in TOFTGenericReceiverModule.sol
Vulnerability Detail
function receiveWithParamsReceiver(address srcChainSender, bytes memory _data) public payable {
SendParamsMsg memory msg_ = TOFTMsgCodec.decodeSendParamsMsg(_data);
msg_.amount = _toLD(msg_.amount.toUint64());
if (msg_.unwrap) {
ITOFT tOFT = ITOFT(address(this));
address toftERC20 = tOFT.erc20();
// @audit
// if this lacks access control, it could be exploited
/// @dev xChain owner needs to have approved dst srcChain `sendPacket()` msg.sender in a previous composedMsg. Or be the same address.
_internalTransferWithAllowance(msg_.receiver, srcChainSender, msg_.amount);
tOFT.unwrap(address(this), msg_.amount);
if (toftERC20 != address(0)) {
IERC20(toftERC20).safeTransfer(msg_.receiver, msg_.amount);
} else {
(bool sent,) = msg_.receiver.call{value: msg_.amount}("");
if (!sent) revert TOFTGenericReceiverModule_TransferFailed();
}
}
}
As we can see, there is lack of access control, anyone can input msg.receiver and srcChainSender to move msg.receiver's token and unwrap onbehalf of msg.receiver even msg.receiver user does not want his token be unwrapped.
User can trigger the receiveWithParamsReceiver via TOFT
ctf_sec
high
Access control is missing in TOFTGenericReceiverModule.sol
Summary
Access control is missing in TOFTGenericReceiverModule.sol
Vulnerability Detail
As we can see, there is lack of access control, anyone can input msg.receiver and srcChainSender to move msg.receiver's token and unwrap onbehalf of msg.receiver even msg.receiver user does not want his token be unwrapped.
User can trigger the receiveWithParamsReceiver via TOFT
https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/TapiocaZ/contracts/tOFT/TOFT.sol#L146
Impact
.
Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/TapiocaZ/contracts/tOFT/modules/TOFTGenericReceiverModule.sol#L47
https://github.com/sherlock-audit/2024-02-tapioca/blob/dc2464f420927409a67763de6ec60fe5c028ab0e/TapiocaZ/contracts/tOFT/TOFT.sol#L146
Tool used
Manual Review
Recommendation
Implement access control mechanism to restrict the execution of sensitive functions to only authorized addresses
Duplicate of #132