Platform: Code4rena
Start Date: 23/06/2023
Pot Size: $60,500 USDC
Total HM: 31
Participants: 132
Period: 10 days
Judge: 0xean
Total Solo HM: 10
Id: 254
League: ETH
Rank: 107/132
Findings: 1
Award: $18.42
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: alexweb3
Also found by: D_Auditor, DedOhWale, DelerRH, LuchoLeonel1, Musaka, Neon2835, Silvermist, Timenov, TorpedoPistolIXC41, adeolu, cartlex_, hals, josephdara, koo, lanrebayode77, mahyar, mladenov, mrudenko, pep7siup, zaevlad, zaggle
18.4208 USDC - $18.42
https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/configuration/LybraConfigurator.sol#L85-L88 https://github.com/code-423n4/2023-06-lybra/blob/7b73ef2fbb542b569e182d9abf79be643ca883ee/contracts/lybra/configuration/LybraConfigurator.sol#L90-L93
onlyRole and checkRole modifiers aren't implemented correctly so they don't protect the functions in which they're used. Having no check would mean that this modifier will always be bypassed and would result in everyone having the ability to call the functions that should be callable only for people who have a role.
For example, this function has checkRole modifier which means only a user with a defined role can set a flash loan fee but with the wrong implementation of the modifier, everyone can set the fee of the flash loan which can lead to loss of funds.
function setFlashloanFee(uint256 fee) external checkRole(TIMELOCK) { if (fee > 10_000) revert('EL'); emit FlashloanFeeUpdated(fee); flashloanFee = fee; }
Manual Review
Add require to the modifiers
modifier onlyRole(bytes32 role) { require(GovernanceTimelock.checkOnlyRole(role, msg.sender), ""); _; }
modifier checkRole(bytes32 role) { require(GovernanceTimelock.checkRole(role, msg.sender), ""); _; }
Access Control
#0 - c4-pre-sort
2023-07-09T01:55:36Z
JeffCX marked the issue as duplicate of #704
#1 - c4-judge
2023-07-28T17:18:46Z
0xean marked the issue as satisfactory