Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 86/113
Findings: 1
Award: $0.12
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: NPCsCorp
Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad
0.1172 USDC - $0.12
Function setRouter in contract DcntEth has no access control and anyone can set router for the contract. After that the attacker can mint and burn any amount of DcntEth tokens for any address, because mint and burn functions are protected by onlyRouter modifier.
One of the possible attack scenarios:
DcntEth tokens for himselfDecentEthRouter contract that transfers DcntEth tokens to the contract and then transfers WETH to the attacker (or the attacker can call redeemEth)This way the attacker can withdraw all WETH from DecentEthRouter.
Manual review
Add modifier onlyOwner to setRouter function.
Access Control
#0 - c4-pre-sort
2024-01-24T06:19:22Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-24T06:19:27Z
raymondfam marked the issue as duplicate of #14
#2 - c4-judge
2024-02-03T13:24:13Z
alex-ppg marked the issue as satisfactory