Mimo August 2022 contest - teddav's results

Bridging the chasm between the DeFi world and the world of regulated financial institutions.

General Information

Platform: Code4rena

Start Date: 02/08/2022

Pot Size: $50,000 USDC

Total HM: 12

Participants: 69

Period: 5 days

Judge: gzeon

Total Solo HM: 5

Id: 150

League: ETH

Mimo DeFi

Findings Distribution

Researcher Performance

Rank: 22/69

Findings: 1

Award: $224.50

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Mimo DeFi

Findings Information

🌟 Selected for report: horsefacts

Also found by: ayeslick, cccz, peritoflores, teddav, vlad_bochok

Labels

bug

duplicate

2 (Med Risk)

Awards

224.5009 USDC - $224.50

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxy.sol#L61 https://github.com/code-423n4/2022-08-mimo/blob/main/contracts/proxy/MIMOProxy.sol#L82

Vulnerability details

Impact

If a permission is given in MimoProxy to any function, it can then be abused to whitelist any other msg.sender/function by modifying the _permissions mapping. There is a check that the owner was not modified, but no check on _permissions (which makes sense since it's a mapping). So I can then use my whitelisted function to add any of my contracts to _permissions and drain the funds of the current contract.

#0 - RnkSngh
2022-08-10T10:31:08Z

Duplicate of #161

Mimo August 2022 contest - teddav's results

Bridging the chasm between the DeFi world and the world of regulated financial institutions.

General Information

Findings Distribution

Researcher Performance

External Links

[M-02] Any permission can be used to execute any code in MimoProxy - $224.50

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

#0 - RnkSngh2022-08-10T10:31:08Z

#0 - RnkSngh
2022-08-10T10:31:08Z