Platform: Code4rena
Start Date: 22/09/2023
Pot Size: $100,000 USDC
Total HM: 15
Participants: 175
Period: 14 days
Judge: alcueca
Total Solo HM: 4
Id: 287
League: ETH
Rank: 88/175
Findings: 2
Award: $25.79
π Selected for report: 0
π Solo Findings: 0
π Selected for report: 0xTheC0der
Also found by: 0x180db, 0xDING99YA, 0xRstStn, 0xTiwa, 0xWaitress, 0xblackskull, 0xfuje, 3docSec, Aamir, Black_Box_DD, HChang26, Hama, Inspecktor, John_Femi, Jorgect, Kek, KingNFT, Kow, Limbooo, MIQUINHO, MrPotatoMagic, NoTechBG, Noro, Pessimistic, QiuhaoLi, SovaSlava, SpicyMeatball, T1MOH, TangYuanShen, Vagner, Viktor_Cortess, Yanchuan, _eperezok, alexweb3, alexxander, ast3ros, ayden, bin2chen, blutorque, btk, ciphermarco, ether_sky, gumgumzum, gztttt, hals, imare, its_basu, joaovwfreire, josephdara, klau5, kodyvim, ladboy233, marqymarq10, mert_eren, minhtrng, n1punp, nobody2018, oada, orion, peakbolt, peritoflores, perseverancesuccess, pfapostol, rvierdiiev, stuxy, tank, unsafesol, ustas, windhustler, zambody, zzzitron
0.1127 USDC - $0.11
payableCall() in VirtualAccount.sol has no access control and anyone can steal the token from it
payableCall() in VirtualAccount.sol has no access control at all:
function payableCall(PayableCall[] calldata calls) public payable returns (bytes[] memory returnData) { uint256 valAccumulator; uint256 length = calls.length; returnData = new bytes[](length); PayableCall calldata _call; for (uint256 i = 0; i < length;) { _call = calls[i]; uint256 val = _call.value; // Humanity will be a Type V Kardashev Civilization before this overflows - andreas // ~ 10^25 Wei in existence << ~ 10^76 size uint fits in a uint256 unchecked { valAccumulator += val; } bool success; if (isContract(_call.target)) (success, returnData[i]) = _call.target.call{value: val}(_call.callData); if (!success) revert CallFailed(); unchecked { ++i; } } // Finally, make sure the msg.value = SUM(call[0...i].value) if (msg.value != valAccumulator) revert CallFailed(); }
As a result anyone can call any token contract through it and transfer the token in this Virtual Account.
Manual Review
Add requiresApprovedCaller modifier like call().
Access Control
#0 - c4-pre-sort
2023-10-09T07:05:45Z
0xA5DF marked the issue as duplicate of #888
#1 - c4-pre-sort
2023-10-09T07:05:50Z
0xA5DF marked the issue as sufficient quality report
#2 - c4-judge
2023-10-26T11:32:55Z
alcueca marked the issue as satisfactory
π Selected for report: MrPotatoMagic
Also found by: 0xAadi, 0xDING99YA, 0xDemon, 0xRstStn, 0xSmartContract, 0xStriker, 0xWaitress, 0xbrett8571, 0xfuje, 0xsagetony, 0xsurena, 33BYTEZZZ, 3docSec, 7ashraf, ABA, ABAIKUNANBAEV, Aamir, Audinarey, Bauchibred, Black_Box_DD, Daniel526, DanielArmstrong, DanielTan_MetaTrust, Dinesh11G, Eurovickk, Franklin, Inspecktor, John, Jorgect, Joshuajee, K42, Kek, Koolex, LokiThe5th, MIQUINHO, Myd, NoTechBG, QiuhaoLi, SanketKogekar, Sathish9098, Sentry, Soul22, SovaSlava, Stormreckson, Tendency, Topmark, Udsen, V1235816, Viktor_Cortess, Viraz, Yanchuan, ZdravkoHr, Zims, albahaca, albertwh1te, alexweb3, alexxander, ast3ros, audityourcontracts, bareli, bin2chen, bronze_pickaxe, c0pp3rscr3w3r, cartlex_, castle_chain, chaduke, debo, ether_sky, gumgumzum, imare, its_basu, jaraxxus, jasonxiale, josephdara, kodyvim, ladboy233, lanrebayode77, lsaudit, mert_eren, minhtrng, n1punp, nadin, niroh, nmirchev8, orion, peakbolt, perseverancesuccess, pfapostol, ptsanev, rvierdiiev, saneryee, shaflow2, te_aut, terrancrypt, twcctop, unsafesol, ustas, versiyonbir, windhustler, yongskiws, zhaojie, ziyou-
25.6785 USDC - $25.68
setCoreRouter() in BranchPort.sol requires only coreRouter can call it, however, there is no such function in CoreBranchRouter.sol to call this function. As a result this function is unreachable.
setCoreRouter() has a requireCoreRouter modifier, so only coreBranchRouter can call it. CoreBranchRouter.sol inherits from the BaseBranchRouter.sol, however, in both these two contracts there is no way to trigger a call to setCoreRouter() in BranchPort.sol. So setCoreRouter() is unaccessible.
Manual Review
in executeNoSettlement() in CoreBranchRouter.sol add a case to call setCoreRouter()
Other
#0 - c4-pre-sort
2023-10-15T05:32:01Z
0xA5DF marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-10-15T05:32:06Z
0xA5DF marked the issue as primary issue
#2 - 0xA5DF
2023-10-15T05:32:34Z
Seems like unused code, which is a QA But will leave open for sponsor to comment if there's any additional impact
#3 - c4-sponsor
2023-10-16T22:57:14Z
0xLightt (sponsor) confirmed
#4 - c4-sponsor
2023-10-16T22:57:33Z
0xLightt marked the issue as disagree with severity
#5 - 0xLightt
2023-10-16T22:58:13Z
There is no impact other than bytecode size, but we should remove this function - that is unused/dead code.
#6 - c4-judge
2023-10-24T14:23:19Z
alcueca changed the severity to QA (Quality Assurance)
#7 - c4-judge
2023-10-24T14:23:26Z
alcueca marked the issue as grade-a