New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Minipool should be recreated by same owner #524
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-213
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Comments
code423n4
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Jan 3, 2023
C4-Staff
added a commit
that referenced
this issue
Jan 6, 2023
GalloDaSballo marked the issue as duplicate of #213 |
c4-judge
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
and removed
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
labels
Feb 3, 2023
GalloDaSballo changed the severity to 3 (High Risk) |
c4-judge
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
downgraded by judge
Judge downgraded the risk level of this issue
and removed
3 (High Risk)
Assets can be stolen/lost/compromised directly
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
labels
Feb 8, 2023
GalloDaSballo changed the severity to 2 (Med Risk) |
c4-judge
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
and removed
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
downgraded by judge
Judge downgraded the risk level of this issue
labels
Feb 8, 2023
GalloDaSballo changed the severity to 3 (High Risk) |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Feb 8, 2023
GalloDaSballo marked the issue as satisfactory |
c4-judge
added
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
and removed
3 (High Risk)
Assets can be stolen/lost/compromised directly
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
labels
Feb 9, 2023
GalloDaSballo changed the severity to QA (Quality Assurance) |
Simon-Busch
removed
the
downgraded by judge
Judge downgraded the risk level of this issue
label
Feb 9, 2023
Simon-Busch
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
and removed
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
labels
Feb 9, 2023
Changed severity back from QA to H as requested by @GalloDaSballo |
Simon-Busch
added
the
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
label
Feb 9, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-213
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/main/contracts/contract/MinipoolManager.sol#L191-L283
Vulnerability details
Impact
Every minipool has an owner and it is recorded in this line
of the createMinipool function. However, there is no checking to disallow non owner to recreate the same mini pool which is wrong.
Proof of Concept
A user creates a minipool
And cancel the minipool
Then, another user can recreate the minipool again with the same createMinipool function with the same nodeID. This should not be allowed!!
Added a test unit.
Tools Used
Manual and added a test unit.
Recommended Mitigation Steps
Change the createMiniPool function. Add owner checking if minipool is updated.
The text was updated successfully, but these errors were encountered: