Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 59/113
Findings: 2
Award: $23.19
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: NPCsCorp
Also found by: 0x11singh99, 0xAadi, 0xBugSlayer, 0xE1, 0xPluto, 0xSimeon, 0xSmartContract, 0xabhay, 0xdice91, 0xprinc, Aamir, Aymen0909, CDSecurity, DadeKuma, DarkTower, EV_om, Eeyore, GeekyLumberjack, GhK3Ndf, Giorgio, Greed, Inference, JanuaryPersimmon2024, Kaysoft, Krace, Matue, MrPotatoMagic, NentoR, Nikki, PUSH0, Soliditors, Tendency, Tigerfrake, Timeless, Timenov, ZanyBonzy, ZdravkoHr, abiih, adeolu, al88nsk, azanux, bareli, boredpukar, cu5t0mpeo, d4r3d3v1l, darksnow, deth, dutra, ether_sky, haxatron, ke1caM, kodyvim, m4ttm, mgf15, mrudenko, nmirchev8, nobody2018, nuthan2x, peanuts, piyushshukla, ravikiranweb3, rouhsamad, seraviz, simplor, slylandro_star, stealth, th13vn, vnavascues, wangxx2026, zaevlad
0.1172 USDC - $0.12
The vulnerability in the setRouter function poses a critical risk as it allows any address to change the router variable. This means that an attacker could maliciously alter the router address, leading to unauthorized control over critical functions such as mint() tokens.
Vulnerable code:
modifier onlyRouter() { require(msg.sender == router); _; } function setRouter(address _router) public { router = _router; } function mint(address _to, uint256 _amount) public onlyRouter { _mint(_to, _amount); }
The attacker easily call setRouter() with his address. Then, he arbitrary mint amount DcntEth token.
Manual
The code can be fixed as below:
function setRouter(address _router) public onlyOwner { router = _router; }
Access Control
#0 - c4-pre-sort
2024-01-24T05:36:36Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-24T05:36:47Z
raymondfam marked the issue as duplicate of #14
#2 - c4-judge
2024-02-03T13:24:35Z
alex-ppg marked the issue as satisfactory
23.067 USDC - $23.07
In the Decent protocol, every user who wants to swap execute must call swapAndExecute(). The function executed the collected fee and verified swap instructions signed by the signer. Unfortunately, the user can bypass paying fees and checking signatures by calling the receiveFromBridge() function, which has no restrictions on paying fees and validating signatures.
Vulnerable code:
function receiveFromBridge( SwapInstructions memory postBridge, address target, address paymentOperator, bytes memory payload, address payable refund ) public { _swapAndExecute(postBridge, target, paymentOperator, payload, refund); }
The user directly call receiveFromBridge() to avoid paying fees and validating signatures.
Manual
Restrict receiveFromBridge() function is only called by bridge address.
Access Control
#0 - c4-pre-sort
2024-01-24T06:07:21Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-01-24T06:07:35Z
raymondfam marked the issue as duplicate of #15
#2 - alex-ppg
2024-02-03T12:23:32Z
While the submission is of somewhat low quality, it correctly specifies that the signatures are also not validated in addition to the fees being dodged. As such, I will "cancel" out the penalty and bonus and assign a full reward.
#3 - c4-judge
2024-02-03T12:23:37Z
alex-ppg marked the issue as satisfactory
#4 - c4-judge
2024-02-03T13:03:51Z
alex-ppg changed the severity to 2 (Med Risk)