Important onlyOwner protected functions in Incentives and Validators cannot be executed by BoostCore
Summary
The BoostCore contract deploys and initializes clones of multiple contracts, making BoostCore the owner of these contracts. This setup enables BoostCore to execute key functions like claim() in the Incentive contracts. However, it prevents other critical functions, such as drawRaffle() and clawback(), from being executed because there is no logic in the BoostCore contract to call them.
Vulnerability Detail
The Incentive and Validator contracts are deployed and initialized by BoostCore, which assigns BoostCore as the owner of these contracts. This allows BoostCore to invoke the claim() function in the Incentive contracts, which is secured by the onlyOwner modifier.
However, other functions in the Incentive and Validator contracts, also protected by the onlyOwner modifier, cannot be invoked because BoostCore does not contain logic to call them. These functions include:
SignerValidator:setAuthorized()
SignerValidator:setValidatorCaller()
AllowListIncentive:clawback()
CGDAIncentive:clawback()
ERC20Incentive:clawback()
ERC20Incentive:drawRaffle()
ERC20VariableIncentive:clawback()
ERC1155Incentive:clawback()
Impact
This issue can render several contracts inoperable:
The ERC20Incentive contract with the RAFFLEstrategy will never be able to call the drawRaffle() function, causing funds to remain locked. Additionally, there will be no method to invoke the clawback() function.
The SignerValidator contract will be unable to register or de-register signers and callers after deployment.
None of the Incentives contract will be able to reclaim their funds
Implement role-based access control, allowing BoostCore to call only the claim() function, while restricting access to other functions, and setting the owner to the same as the Boost owner.
PranavGarg
High
Important onlyOwner protected functions in Incentives and Validators cannot be executed by BoostCore
Summary
The
BoostCorecontract deploys and initializes clones of multiple contracts, makingBoostCorethe owner of these contracts. This setup enablesBoostCoreto execute key functions likeclaim()in the Incentive contracts. However, it prevents other critical functions, such asdrawRaffle()andclawback(), from being executed because there is no logic in the BoostCore contract to call them.Vulnerability Detail
The Incentive and Validator contracts are deployed and initialized by
BoostCore, which assignsBoostCoreas the owner of these contracts. This allowsBoostCoreto invoke theclaim()function in the Incentive contracts, which is secured by theonlyOwnermodifier.However, other functions in the Incentive and Validator contracts, also protected by the
onlyOwnermodifier, cannot be invoked because BoostCore does not contain logic to call them. These functions include:SignerValidator:setAuthorized()SignerValidator:setValidatorCaller()AllowListIncentive:clawback()CGDAIncentive:clawback()ERC20Incentive:clawback()ERC20Incentive:drawRaffle()ERC20VariableIncentive:clawback()ERC1155Incentive:clawback()Impact
This issue can render several contracts inoperable:
ERC20Incentivecontract with theRAFFLEstrategy will never be able to call thedrawRaffle()function, causing funds to remain locked. Additionally, there will be no method to invoke theclawback()function.SignerValidatorcontract will be unable to register or de-register signers and callers after deployment.Code Snippet
Some of the onlyOwner protected functions https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/78930f2ed6570f30e356b5529bd4bcbe5194eb8b/boost-protocol/packages/evm/contracts/incentives/ERC20VariableIncentive.sol#L98
https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/78930f2ed6570f30e356b5529bd4bcbe5194eb8b/boost-protocol/packages/evm/contracts/incentives/ERC20Incentive.sol#L137
https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/78930f2ed6570f30e356b5529bd4bcbe5194eb8b/boost-protocol/packages/evm/contracts/incentives/ERC20Incentive.sol#L98
Tool used
Manual Review
Recommendation
Implement role-based access control, allowing BoostCore to call only the
claim()function, while restricting access to other functions, and setting the owner to the same as the Boost owner.