FunctionAdminRequired modifier does not specify any granular security around function permissions per contract or per collection #1425
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-303
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenAdmins.sol#L44
Vulnerability details
Impact
FunctionAdminRequired modifier, widely used throughout the NextGen codebase, does not specify any granular security around function permissions per contract/collection. This opens up potentially significant security issues in terms of actors intentionally given FunctionAdmin access for a given function selector unintentionally gaining FunctionAdmin access to functions with the same selector on different contracts. Additionally, with no specification on which collection(s) the FunctionAdmins are granted access for for a given function selector, a bad actor that may deserve permissions to a given function for, say, Collection #1 but not Collection #2 will thus have access to calling the function by selector on both Collections #1 and #2. This vulnerability deals with access control of trusted (and potentially untrusted) actors, and puts the protocol at risk.
Proof of Concept
NextGenAdmins.retrieveFunctionAdmin is used widely in many of NextGen's contracts. As you can see, it only establishes access for a given address's permission for a function selector, with no additional security control.
Exploit Case 1: Same function name, different contracts
Exploit Case 2: Different functions with different names that hash to the same bytes4 selector value
Tools Used
Solidity
Recommended Mitigation Steps
More granular control via the following:
Assessed type
Access Control
The text was updated successfully, but these errors were encountered: