Require for setting an address of pool contract #416
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-437
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
code423n4
added
2 (Med Risk)
|
dmvt marked the issue as duplicate of #54 |
|
dmvt marked the issue as unsatisfactory: |
c4-judge
added
unsatisfactory
|
dmvt marked the issue as satisfactory |
|
dmvt marked the issue as unsatisfactory: |
c4-judge
added
unsatisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/configuration/PoolAddressesProvider.sol#L75
Vulnerability details
Id parameter must not equal to the POOL constant. This prevents an attacker from overwriting the address of the pool contract, which could cause significant problems for the protocol.
Proof of Concept
Attacker calls setAddress and changes the address of the pool contract.
Now attacker owns the pool.
Recommended Mitigation Steps
Add require statement to setAdress() function similar to setAddressAsProxy():
require(id != POOL, Errors.INVALID_ADDRESSES_PROVIDER_ID);
The text was updated successfully, but these errors were encountered: