Platform: Code4rena
Start Date: 18/05/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 72
Period: 4 days
Judge: LSDan
Id: 237
League: ETH
Rank: 61/72
Findings: 1
Award: $16.19
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: ABA
Also found by: 0x4non, 0xHati, 0xMosh, 0xSmartContract, 0xWaitress, 0xhacksmithh, 0xnev, 0xprinc, Arabadzhiev, BLACK-PANDA-REACH, Deekshith99, Dimagu, KKat7531, Kose, LosPollosHermanos, MohammedRizwan, QiuhaoLi, RaymondFam, Rickard, Rolezn, SAAJ, Sathish9098, Shubham, SmartGooofy, Tripathi, Udsen, V1235816, adriro, arpit, ayden, bigtone, codeVolcan, d3e4, dwward3n, fatherOfBlocks, favelanky, jovemjeune, kutugu, lfzkoala, lukris02, matrix_0wl, minhquanym, ni8mare, parsely, pxng0lin, radev_sw, ravikiranweb3, rbserver, sces60107, souilos, tnevler, turvy_fuzz, yellowBirdy
16.1907 USDC - $16.19
The bug in the provided code is related to an incorrect authorization check in the didPay function. The original code uses the revert statement to handle unauthorized access, but it should be using the require statement instead.
In the incorrect code: https://github.com/code-423n4/2023-05-juicebox/blob/9a36e5c8d0588f0f262a0cd1c08e34b2184d8f4d/juice-buyback/contracts/JBXBuybackDelegate.sol#L185
if (msg.sender != address(jbxTerminal)) revert JuiceBuyback_Unauthorized();
The condition checks if the msg.sender (the caller of the function) is not equal to the address(jbxTerminal). If the condition evaluates to true, it triggers a revert statement, which reverts the transaction and rolls back any changes made.
However, using revert in this context is not the appropriate way to handle authorization checks. The revert statement is typically used to revert the entire transaction when a condition is not met. In this case, it should be using the require statement, which is specifically designed for authorization checks.
The correct code should be:
require(msg.sender == address(jbxTerminal), "JuiceBuyback_Unauthorized");
The require statement checks if the condition (msg.sender == address(jbxTerminal)) is true. If the condition is false, it will revert the transaction and provide an error message ("JuiceBuyback_Unauthorized").
Using require ensures that the condition for authorization is met, and if not, it immediately halts the execution and reverts the transaction, preventing unauthorized access to the didPay function.
By replacing revert with require, the code enforces proper authorization checks and enhances the security of the smart contract.
#0 - c4-pre-sort
2023-05-24T10:12:55Z
dmvt marked the issue as low quality report
#1 - c4-judge
2023-06-02T10:54:13Z
dmvt marked the issue as grade-b