Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 79/113
Findings: 1
Award: $0.12
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: NPCsCorp
Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad
0.1172 USDC - $0.12
There is no access modifier in DcntEth::setRouter. Therefore anyone can call this function and change the router. This will bypass the modifier onlyRouter when mint() and burn() are called.
In this PoC, I will show how the attack can happen:
Create folder audit in the test folder.
Create file called DcntEthTest.t.sol.
Copy from this Gist and paste into the file.
Run forge test --match-test test_change_router in the terminal.
Test passes:
[PASS] test_change_router() (gas: 40988)
Manual Review, Foundry
Add onlyOwner modifier to setRouter function:
- function setRouter(address _router) public { + function setRouter(address _router) public onlyOwner { router = _router; }
Access Control
#0 - c4-pre-sort
2024-01-24T04:11:29Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-24T04:11:36Z
raymondfam marked the issue as duplicate of #14
#2 - c4-judge
2024-02-03T13:26:08Z
alex-ppg marked the issue as satisfactory