Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 90/113
Findings: 1
Award: $0.12
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: NPCsCorp
Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad
0.1172 USDC - $0.12
The function DcntEth.setRouter has no access control which is resposible for setting the router address. Also this router address has the authority to mint and burn tokens. Lack of access control leads anyone to set their address as router and mint unlimited tokens. User can then burn those tokens to convert them into ETH. This will lead to loss of funds for the protocol.
DecentEthRouter.removeLiquidityEth().Manual Review
Enforce access control by allowing only owner to set the value.
/** * @param _router the decentEthRouter associated with this eth */ - function setRouter(address _router) public { + function setRouter(address _router) public onlyOwner { router = _router; }
Access Control
#0 - c4-pre-sort
2024-01-24T16:19:53Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-24T16:19:59Z
raymondfam marked the issue as duplicate of #14
#2 - c4-judge
2024-02-03T13:23:00Z
alex-ppg marked the issue as satisfactory