Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 90/111
Findings: 1
Award: $19.29
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Udsen
Also found by: 0x11singh99, 0xPsuedoPandit, Daniel526, Darwin, Inspecktor, Jorgect, Nyx, Praise, Tripathi, YY, catellatech, namx05, squeaky_cactus, xuwinnie
19.2867 USDC - $19.29
The setDrawManager function in the contract can be invoked by any Ethereum address. This exposes the contract to potential risks if malicious actors exploit this unrestricted access.
A malicious actor could potentially take control of the contract by setting the drawManager address to an address under their control before the legitimate owner gets a chance to set it.
function setDrawManager(address _drawManager) external { if (drawManager != address(0)) { revert DrawManagerAlreadySet(); } drawManager = _drawManager; emit DrawManagerSet(_drawManager); }
function setDrawManager set as external and there is only one restriction to prevent drawManager is not equal to 0, which means drawManager can be any address.
Alice sees that the smart contract has been deployed but the drawManager hasn't been set yet. She try to set the drawManager to an address under her control. The contract now follows Alice's commands instead of the intended drawManager address.
Manual Analysis
Implement a permission scheme (e.g., an onlyOwner modifier) to limit who can call the setDrawManager function. Only the owner of the contract or an authorized address should have the right to execute this function.
Access Control
#0 - c4-judge
2023-07-14T22:59:33Z
Picodes marked the issue as duplicate of #356
#1 - c4-judge
2023-08-06T10:31:36Z
Picodes changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-08-06T10:32:29Z
Picodes marked the issue as satisfactory