Authorizing malicious users through rely() may lead to the protocol being compromised.
Summary
Because the function freeNoFee() can only be called by an address which was both authorized on the contract by governance and for which the urn owner has called hope.
If the address is controlled by a malicious user, it can revoke the auth permissions of other addresses.
Root Cause
freeNoFee(address urn, address to, uint256 wad) - Withdraw wad amount of MKR from the urn to the to address without paying any fee. This will undelegate the requested amount of MKR (if a delegate was chosen) and unstake it (if a farm was chosen). It will require the user to pay down debt beforehand if needed. This function can only be called by an address which was both authorized on the contract by governance and for which the urn owner has called hope.
If the address is controlled by a malicious user, it can revoke the auth permissions of other addresses.
From the code, we know that an authorized user can revoke the authorization of all other users, including the auth authorization of LockstakeEngine to LockstakeClipper. As a result, LockstakeEngine cannot be liquidated.
Internal pre-conditions
An address controlled by a malicious user was both authorized on the contract by governance.
External pre-conditions
No response
Attack Path
1. An address controlled by a malicious user was both authorized on the contract by governance.
2. The malicious user revokes the authorization of all other addresses through deny().
Impact
Revoking the authorization of the liquidation module prevents LockstakeEngine from being liquidated, resulting in a loss of funds for the protocol.
ZeroTrust
Medium
Authorizing malicious users through rely() may lead to the protocol being compromised.
Summary
Because the function freeNoFee() can only be called by an address which was both authorized on the contract by governance and for which the urn owner has called hope. If the address is controlled by a malicious user, it can revoke the auth permissions of other addresses.
Root Cause
freeNoFee(address urn, address to, uint256 wad) - Withdraw wad amount of MKR from the urn to the to address without paying any fee. This will undelegate the requested amount of MKR (if a delegate was chosen) and unstake it (if a farm was chosen). It will require the user to pay down debt beforehand if needed. This function can only be called by an address which was both authorized on the contract by governance and for which the urn owner has called hope. If the address is controlled by a malicious user, it can revoke the auth permissions of other addresses.
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeEngine.sol#L197
From the code, we know that an authorized user can revoke the authorization of all other users, including the auth authorization of LockstakeEngine to LockstakeClipper. As a result, LockstakeEngine cannot be liquidated.
Internal pre-conditions
External pre-conditions
No response
Attack Path
Impact
Revoking the authorization of the liquidation module prevents LockstakeEngine from being liquidated, resulting in a loss of funds for the protocol.
PoC
No response
Mitigation
No response
Duplicate of #48