Platform: Code4rena
Start Date: 08/09/2023
Pot Size: $70,000 USDC
Total HM: 8
Participants: 84
Period: 6 days
Judge: gzeon
Total Solo HM: 2
Id: 285
League: ETH
Rank: 67/84
Findings: 1
Award: $12.79
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: castle_chain
Also found by: 0xAadi, 0xHelium, 0xLook, 0xblackskull, 0xfuje, 0xmystery, 0xnev, 0xpiken, 7ashraf, BARW, Bauchibred, Bughunter101, Ch_301, JP_Courses, Kaysoft, Krace, MohammedRizwan, SanketKogekar, Sathish9098, alexzoid, ast3ros, btk, catellatech, degensec, fatherOfBlocks, grearlake, imtybik, jkoppel, jolah1, klau5, lsaudit, m_Rassska, merlin, mrudenko, nobody2018, rokinot, rvierdiiev, sandy
12.7917 USDC - $12.79
https://github.com/code-423n4/2023-09-centrifuge/blob/main/src/LiquidityPool.sol#L97-L100
The withApproval modifier in the contract is not functioning as intended, as it restricts access only to the owner of the assets and not to authorized administrators, which is not the expected behavior.
/// @dev Either msg.sender is the owner or a ward on the contract modifier withApproval(address owner) { require(msg.sender == owner, "LiquidityPool/no-approval"); _; }
Every function with the withApproval modifier is supposed to only be called by the Owner of the assets or an authorized admin, but with the current implementation, the function will revert if called by someone othe than the owner of the asset.
Manual review
To address this isssue, we recommend updating the modifier as follow:
/// @dev Either msg.sender is the owner or a ward on the contract modifier withApproval(address owner) { require(msg.sender == owner || wards[msg.sender] == 1, "LiquidityPool/no-approval"); _; }
Invalid Validation
#0 - c4-pre-sort
2023-09-16T00:15:57Z
raymondfam marked the issue as low quality report
#1 - c4-pre-sort
2023-09-16T00:16:08Z
raymondfam marked the issue as duplicate of #41
#2 - c4-judge
2023-09-25T16:09:58Z
gzeon-c4 changed the severity to QA (Quality Assurance)