Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 106/113
Findings: 1
Award: $0.09
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: NPCsCorp
Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad
0.0879 USDC - $0.09
Detailed description of the impact of this finding.
The setRouter function is a critical vulnerability because it does not restrict who can call it. An attacker could call this function to set themselves as the router and then mint or burn tokens at will.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
function setRouter(address _router) public { @> router = _router; }
use an access control modifier for access control.
Access Control
#0 - c4-pre-sort
2024-01-24T18:13:26Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-24T18:13:33Z
raymondfam marked the issue as duplicate of #14
#2 - c4-judge
2024-02-03T13:19:25Z
alex-ppg marked the issue as partial-75
#3 - alex-ppg
2024-02-03T13:19:32Z
The submission lacks sufficient comparative quality to be considered for a full reward.
#4 - c4-judge
2024-02-04T23:07:52Z
alex-ppg changed the severity to 3 (High Risk)