Platform: Code4rena
Start Date: 25/10/2022
Pot Size: $50,000 USDC
Total HM: 18
Participants: 127
Period: 5 days
Judge: 0xean
Total Solo HM: 9
Id: 175
League: ETH
Rank: 86/127
Findings: 1
Award: $33.63
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: trustindistrust
Also found by: 0xbepresent, Jujic, Lambda, RaoulSchaffranek, c7e7eff, catchup, codexploder, cryptonue, d3e4, eierina, jwood, pashov, peanuts, pedroais, simon135
33.634 USDC - $33.63
https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L136 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Market.sol#L203-L206
Admin privilege issue
Gov can drain the DOLA tokens in Market.sol by setting the lender address to an arbitrary address using the setter function then calling recall()
set the lender address
function setLender(address _lender) public onlyGov { lender = _lender; }
drain DOLA tokens using recall()
function recall(uint amount) public { require(msg.sender == lender, "Only lender can recall"); dola.transfer(msg.sender, amount); }
#0 - c4-judge
2022-11-05T21:06:14Z
0xean marked the issue as duplicate
#1 - Simon-Busch
2022-12-05T15:35:45Z
Issue marked as satisfactory as requested by 0xean
#2 - c4-judge
2022-12-07T08:22:05Z
Simon-Busch marked the issue as duplicate of #301