Platform: Code4rena
Start Date: 31/01/2023
Pot Size: $90,500 USDC
Total HM: 47
Participants: 169
Period: 7 days
Judge: LSDan
Total Solo HM: 9
Id: 211
League: ETH
Rank: 140/169
Findings: 1
Award: $35.48
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x3b, 0xAgro, 0xBeirao, 0xMirce, 0xNineDec, 0xRobocop, 0xSmartContract, 0xTraub, 0xWeiss, 2997ms, 41i3xn, Awesome, Aymen0909, Bauer, Bnke0x0, Breeje, Cryptor, DadeKuma, Deathstore, Deekshith99, DevABDee, DevTimSch, Dewaxindo, Diana, Ermaniwe, Guild_3, H0, IceBear, Inspectah, JDeryl, Kaiziron, Kaysoft, Kenshin, Mukund, Praise, RaymondFam, Rickard, Rolezn, Ruhum, Sathish9098, SkyWalkerMan, SleepingBugs, UdarTeam, Udsen, Walter, aashar, adeolu, apvlki, arialblack14, ast3ros, btk, chaduke, chandkommanaboyina, chrisdior4, climber2002, codetilda, cryptonue, cryptostellar5, csanuragjain, ddimitrov22, descharre, dharma09, doublesharp, eccentricexit, ethernomad, fs0c, georgits, halden, hansfriese, hashminer0725, immeas, lukris02, luxartvinsec, matrix_0wl, merlin, mookimgo, mrpathfindr, nadin, olegthegoat, pavankv, rbserver, rebase, savi0ur, sayan, scokaf, seeu, shark, simon135, tnevler, tsvetanovv, ulqiorra, ustas, waldenyan20, y1cunhui, yongskiws, yosuke
35.4779 USDC - $35.48
There are no security checks in VaultController.changeVaultFees(address[] calldata vaults) and VaultController.changeVaultAdapters(address[] calldata vaults). This means that anyone can call these functions with arbitrary addresses. This will let the AdminProxy execute a call on those addresses with IVault.proposeFees.selector or IVault.changeAdapter.selector. Low severity because I can't think of a critical attack vector through this, but should the adminProxy ever get more functions, this might cause trouble.
Let's use the following contract as an example:
pragma solidity ^0.8.15; import {console} from "forge-std/console.sol"; contract AnyContract { function changeAdapter() external { console.log("Should never reach here"); } }
Now we can add a test case to VaultController.t.sol:
import {AnyContract} from "../AnyContract.sol"; function test__callAnyContract() public { address[] memory targets = new address[](1); targets[0] = address(new AnyContract()); controller.changeVaultAdapters(targets); }
Which should display the console message "Should never reach here".
VS Code, Manual review, Foundry
Consider putting restrictions on who can call changeAdapter and changeFees in VaultController.
#0 - c4-judge
2023-02-28T13:17:16Z
dmvt marked the issue as grade-b