Back to Krace's contests

Decent - Krace's results

Decent enables one-click transactions using any token across chains.

General Information

Platform: Code4rena

Start Date: 19/01/2024

Pot Size: $36,500 USDC

Total HM: 9

Participants: 113

Period: 3 days

Judge: 0xsomeone

Id: 322

League: ETH

Decent

Findings Distribution

Researcher Performance

Rank: 99/113

Findings: 1

Award: $0.09

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDecent

Findings Information

🌟 Selected for report: NPCsCorp

Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad

Awards

0.0879 USDC - $0.09

Labels

bug
3 (High Risk)
partial-75
sufficient quality report
duplicate-721

External Links

Link to GitHub issue

Lines of code

https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DcntEth.sol#L20-L22

Vulnerability details

Impact

The function setRouter lacks proper permission verification, allowing any user to set up a new router and freely mint and burn tokens.

Proof of Concept

The function setRouter lacks proper permission verification, allowing any user to set up a new router and freely mint and burn tokens.

//@audit anyone can set a router, to mint and burn
    function setRouter(address _router) public {
        router = _router;
    }

    function mint(address _to, uint256 _amount) public onlyRouter {
        _mint(_to, _amount);
    }

    function burn(address _from, uint256 _amount) public onlyRouter {
        _burn(_from, _amount);
    }

Tools Used

Manual Review

Add onlyOwner to the function setRouter.

Assessed type

Access Control

#0 - c4-pre-sort

2024-01-24T03:36:05Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2024-01-24T03:36:11Z

raymondfam marked the issue as duplicate of #14

#2 - c4-judge

2024-02-03T13:26:42Z

alex-ppg marked the issue as satisfactory

#3 - c4-judge

2024-02-03T13:26:46Z

alex-ppg marked the issue as partial-75

#4 - alex-ppg

2024-02-03T13:27:09Z

The comparative quality of the submission is low as it copy-pastes the same line between its impact and proof of concept chapter.

#5 - merc1995

2024-02-05T03:19:25Z

Why waste the judge's time by writing additional content when this simple vulnerability can be summarized in one sentence?

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter