Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 110/113
Findings: 1
Award: $0.03
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: NPCsCorp
Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad
0.0293 USDC - $0.03
security vulnerability in the setRouter function of the DcntEth contract. The setRouter function is marked as public, which means that anyone can call it and potentially change the router address, leading to unauthorized access and potential exploitation of the contract.
setRouter function is public and lacks proper authorization checks. This allows any address to call the function and update the router address, potentially compromising the security of the contract.
function setRouter(address _router) public onlyOwner { router = _router; }
setRouter function to include an authorization check, allowing only authorized addresses to modify the router variable. An example is provided above, where the onlyOwner modifier is used to restrict access to the contract owner
modifier onlyOwner() { require(msg.sender == owner(), "Not the contract owner"); _; }
function setRouter(address _router) public onlyOwner { router = _router; }
Invalid Validation
#0 - c4-pre-sort
2024-01-25T20:11:23Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-25T20:11:28Z
raymondfam marked the issue as duplicate of #14
#2 - alex-ppg
2024-02-03T13:09:27Z
The submission fails to articulate the precise impact of changing the router. Substantiated by the submission's mention of potential exploitation of the contract instead of direct exploitation of the sensitive mint functionality of the contract, I consider a penalty down to 25% correct.
#3 - c4-judge
2024-02-03T13:09:37Z
alex-ppg marked the issue as partial-25