Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 93/113
Findings: 1
Award: $0.12
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: NPCsCorp
Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad
0.1172 USDC - $0.12
The setRouter function in the DcntEth.sol contract is used to set the router of the contract.
The router has access to some critical functions like mint and burn functions which can be used to mint and burn tokens respectively.
However, the setRouter function doesn't have any type of access control mechanism and this function's visibility is public.
Hence, anyone and can call this function and set the router of the DcntEth contract at any time and also mint and burn tokens at their will after they set the router.
Which could lead to a total loss of value for the token.
Unauthorized minting/burning of tokens: As anyone can set themselves or any other address as the router of the contract and call mint or burn function from the address they have saved via the setRouter function.
Missing access controls: As anyone can call this function which without having necessary permissions.
This is the current implementation of the setRouter function in the DcntEth.sol contract for reference:
/** * @param _router the decentEthRouter associated with this eth */ function setRouter(address _router) public { router = _router; }
It is clearly visible that this function's visibility is public and anyone can call this function without any restriction.
Here, I've given a Proof of Concept to reproduce the vulnerability. This vulnerability can be easily identified and reproduced.
Step 1: Call the setRouter function and set your address as the router of the contract.
Step 2: Call mint or burn function to mint tokens to any address or burn tokens from any address at your will.
This vulnerability can be resolved by adding a onlyOwner modifier or any other type of access control mechanism in the setRouter function.
Here is the modified code for the function:
function setRouter(address _router) public onlyOwner { router = _router; }
Git Diff:
@@ -17,7 +17,7 @@ contract DcntEth is OFTV2 { /** * @param _router the decentEthRouter associated with this eth */ - function setRouter(address _router) public { + function setRouter(address _router) public onlyOwner { router = _router; }
Access Control
#0 - c4-pre-sort
2024-01-23T22:14:35Z
raymondfam marked the issue as duplicate of #14
#1 - c4-pre-sort
2024-01-23T22:14:40Z
raymondfam marked the issue as sufficient quality report
#2 - c4-judge
2024-02-03T13:31:05Z
alex-ppg marked the issue as satisfactory