Fund in VirtualAccount
could be stolen due to absence of access control for payableCall()
#82
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-885
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/VirtualAccount.sol#L85
Vulnerability details
Impact
The
payableCall()
function is designed to execute any calls on behalf of owner ofVirtualAccount
contract. The absence of access control would cause fund inVirtualAccount
to be stolen by anyone.Proof of Concept
The test cases below show both ERC20 and ERC721 tokens could be withdrawn from
VirtualAccount
by an irrelevant account:Test log:
Tools Used
Manually review
Recommended Mitigation Steps
Applying
requiresApprovedCaller
modifier.Assessed type
Access Control
The text was updated successfully, but these errors were encountered: