BaseRate can be update by anyone #198
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/NoteInterest.sol#L118
Vulnerability details
Impact
There is no access modifier in
updateBaseRate
due to which, anyone can change Baserate to a very low value an borrow the large valuefunction updateBaseRate(uint newBaseRatePerYear) public {}
Proof of Concept
https://github.com/Plex-Engineer/lending-market/blob/755424c1f9ab3f9f0408443e6606f94e4f08a990/contracts/NoteInterest.sol#L118
Tools Used
manual review
Recommended Mitigation Steps
add a access modifier
The text was updated successfully, but these errors were encountered: