VirtualAccount's payable function can be callable by anyone #602
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-885
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/VirtualAccount.sol#L85-L112
Vulnerability details
Impact
VirtualAccounts are created for user specific and it holds user's financial assets. VirtualAccount contract has
call
andpayableCall
functions purpose is make this function like a EOA. So this is important that there should be important put access control for this call functions. If there is not, any malicious user can use this call function to steal asset's of virtualAccount's user.As can be seen
call
function has access control which can be seen asrequiresApprovedCaller
modifier.However there is no such that modifier in
payableCall
or any other access control so anybody can callpayableCall
.It can be seen that there is no access control for
msg.sender
. Due to this lack,for example, a malicious user can give parameter as target USDT and calldata as transfer(addressOfMalUser,BalanceOfVirtualAccount). So by this way malicious user can steal users assets without revert.Proof of Concept
Tools Used
Recommended Mitigation Steps
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: