Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 101/113
Findings: 1
Award: $0.09
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: NPCsCorp
Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad
0.0879 USDC - $0.09
The setRouter function in the DcntEth.sol is public which can be accessed by anyone. Atacker can set any router using this function. This will create the problem in functioning of the system.
The setRouter function in the DcntEth.sol is public which can be accessed by anyone. Atacker can set any router using this function. This will create the problem in functioning of the system.
Manual Review
Put access specifier in the code such that only the authorised role can set the router address.
Access Control
#0 - c4-pre-sort
2024-01-24T22:26:04Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-24T22:26:10Z
raymondfam marked the issue as duplicate of #14
#2 - alex-ppg
2024-02-03T13:15:47Z
Insufficient justification of why this is a vulnerability (i.e. arbitrary mint of tokens).
#3 - c4-judge
2024-02-03T13:15:51Z
alex-ppg marked the issue as partial-75