Platform: Code4rena
Start Date: 14/09/2022
Pot Size: $50,000 USDC
Total HM: 25
Participants: 110
Period: 5 days
Judge: hickuphh3
Total Solo HM: 9
Id: 162
League: ETH
Rank: 56/110
Findings: 1
Award: $85.85
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: hyh
Also found by: 0x4non, 0xNazgul, Haruxe, KIntern_NA, PwnPatrol, Respx, Tointer, joestakey, pauliax, peritoflores, rotcivegaf, scaraven
85.8509 USDC - $85.85
Anyone can withdraw on behalf of approved user
Function withdraw at Vault.sol has incorrect access control. As the owner is passed as a parameter anyone can call withdraw to a approved receiver.
This is the same logic used in SemiFungibleVault.sol. Mathematically A or B == not A and not B
function withdraw( uint256 id, uint256 assets, address receiver, address owner ) external override epochHasEnded(id) marketExists(id) returns (uint256 shares) { if( msg.sender != owner && isApprovedForAll(owner, receiver) == false) revert OwnerDidNotAuthorize(msg.sender, owner);
The right logic is msg.sender is either the owner or msg.sender is approved .
require( msg.sender == owner || isApprovedForAll(owner, msg.sender), "Only owner or approved user can withdraw" );
Then if you want the receiver not to be the msg.sender
require(receiver != address(0))
otherwise remove receiver from the input parameters
#0 - 3xHarry
2022-09-21T11:44:40Z
@MiguelBits do we keep receiver as input parameter?
#1 - HickupHH3
2022-10-17T03:37:24Z
dup of #434
partial credit as impact isn't well explained like other dups / primary issue