Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing access control in non-batched InflationManager execute funtions #56

Open
code423n4 opened this issue Jun 2, 2022 · 2 comments
Open

Missing access control in non-batched InflationManager execute funtions #56

code423n4 opened this issue Jun 2, 2022 · 2 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/InflationManager.sol#L145-L155
https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/InflationManager.sol#L236-L249
https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/InflationManager.sol#L321-L330

Vulnerability details

Impact

Several actions need to be prepared and go through a time-lock before they can be executed. InflationManager allows anyone to call the single action execute function but requires onlyRoles2(Roles.GOVERNANCE, Roles.INFLATION_MANAGER) for the batched versions. This looks like an oversight since the same access control level should be enforced.

For example, the executeLpPoolWeight function allows anyone to call it:

https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/InflationManager.sol#L241-L249

function executeLpPoolWeight(address lpToken) external override returns (uint256) {
   (...)
}

But the batched version enforces the caller to have GOVERNANCE or INFLATION_MANAGER roles:

https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/InflationManager.sol#L284-L301

function batchExecuteLpPoolWeights(address[] calldata lpTokens)
        external
        override
        onlyRoles2(Roles.GOVERNANCE, Roles.INFLATION_MANAGER)
        returns (bool)
    {

The same happens in executeAmmTokenWeight versus batchExecuteAmmTokenWeights , as well as executeKeeperPoolWeight versus batchExecuteKeeperPoolWeights.

If only trusted roles should be able to execute pending actions then the onlyRoles modifier should be added to the non-batched functions.

Scenarios where you would not want to allow anyone to execute could include potential votes/changes that may trigger a bug or undesired behavior noticed after it had already been approved.

Tools Used

vim

Recommended Mitigation Steps

Enforce the proper access control mechanism in non-batched execute functions.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 2, 2022
code423n4 added a commit that referenced this issue Jun 2, 2022
@code423n4
bardamu issue #56
281794a
@danhper danhper added disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") labels Jun 6, 2022
@danhper
Copy link
Collaborator

danhper commented Jun 6, 2022

The access control should actually be removed from batchExecuteKeeperPoolWeights rather than added to executeKeeperPoolWeight, so this is rather QA severity

@GalloDaSballo
Copy link
Collaborator

My immediate reply would have been for the finding to be invalid, however, per the sponsor reply, we can leave as valid at QA severity as indeed there's an incongruence between access controls

@GalloDaSballo GalloDaSballo added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jun 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@danhper @GalloDaSballo @code423n4