In Cnote.sol, anyone can initially become both accountant and admin #195
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/CNote.sol#L14
Vulnerability details
Impact
Affected code:
The function
_setAccountantContract()
is supposed to be called after contract initialization, so that theaccountant
is immediately set. However, this function completely lacks any access control (it’s justpublic
) so an attacker can monitor the mempool and frontrun the transaction in order to become bothaccountant
andadmin
Tools Used
Editor
Recommended Mitigation Steps
The function should:
admin
too, which is dangerous and out of scopeThe text was updated successfully, but these errors were encountered: