Platform: Code4rena
Start Date: 24/02/2022
Pot Size: $170,000 UST
Total HM: 15
Participants: 16
Period: 14 days
Judge: Albert Chon
Total Solo HM: 11
Id: 82
League: COSMOS
Rank: 3/16
Findings: 1
Award: $18,202.54
🌟 Selected for report: 1
🚀 Solo Findings: 1
🌟 Selected for report: jmak
https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-bAsset-contracts/contracts/anchor_airdrop_registry/src/contract.rs#L109 https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-bAsset-contracts/contracts/anchor_airdrop_registry/src/contract.rs#L71
FabricateMIRClaim and FabricateANCClaim should only be issued by the Hub contract (the central hub for all minted bLuna managed by Lido). However, execute_fabricate_anchor_claim and execute_fabricate_mir_claim do not restrict the caller, allowing anyone to submit these msgs.
Recommended to add at least simple access control checks in the contract to ensure that these functions can only be called by the Hub and not by others.
See a below for a potential code snippet.
// only hub contract can send this message. let config = read_config(deps.storage)?; let sender_raw = deps.api.addr_canonicalize(&info.sender.to_string())?; if sender_raw != config.hub_contract { return Err(StdError::generic_err("unauthorized")); }
#0 - GalloDaSballo
2022-08-06T20:46:52Z
The finding is correct in that anyone can call the function
The finding lacks any form of impact as to what would happen.
I think these may be test functions also
Not convinced the report makes sense for high severity given the lack of detail