Require for setting an address of pool contract #416
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-437
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/configuration/PoolAddressesProvider.sol#L75
Vulnerability details
Id parameter must not equal to the POOL constant. This prevents an attacker from overwriting the address of the pool contract, which could cause significant problems for the protocol.
Proof of Concept
Attacker calls setAddress and changes the address of the pool contract.
Now attacker owns the pool.
Recommended Mitigation Steps
Add require statement to setAdress() function similar to setAddressAsProxy():
require(id != POOL, Errors.INVALID_ADDRESSES_PROVIDER_ID);
The text was updated successfully, but these errors were encountered: