Platform: Code4rena
Start Date: 31/01/2023
Pot Size: $90,500 USDC
Total HM: 47
Participants: 169
Period: 7 days
Judge: LSDan
Total Solo HM: 9
Id: 211
League: ETH
Rank: 69/169
Findings: 1
Award: $122.61
π Selected for report: 0
π Solo Findings: 0
122.6059 USDC - $122.61
https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/VaultController.sol#L669
The access control check _verifyCreatorOwner falsely checks if the address is creator of the vault AND the owner of the vault controller, instead of checking if address is creator of the vault OR owner of the vault controller. As this access control function is utilized in many vital public functions of VaultController, and as the creator of a vault is not necessarily the owner of the Vault controller at all times, this issue may lead to denial of service problems.
if (msg.sender != metadata.creator || msg.sender != owner) revert NotSubmitterNorOwner(msg.sender);
As can be seen above, the check reverts if msg.sender is not the vault creator or if msg.sender is not the owner of the VaultController contract. The negation of this check, which would give the allowed state, is
msg.sender == metadata.creator && msg.sender == owner
which shows that check is actually checking if the caller is vault creator AND the owner of the vault controller.
Manual review
Change the line to
if (msg.sender != metadata.creator && msg.sender != owner) revert NotSubmitterNorOwner(msg.sender);
so it reverts if the caller is not the vault creator nor owner.
#0 - c4-judge
2023-02-16T07:24:47Z
dmvt marked the issue as duplicate of #45
#1 - c4-sponsor
2023-02-18T12:08:31Z
RedVeil marked the issue as disagree with severity
#2 - c4-sponsor
2023-02-18T12:08:42Z
RedVeil marked the issue as sponsor confirmed
#3 - c4-judge
2023-02-23T00:17:15Z
dmvt marked the issue as satisfactory