Centralization risk - administrators can steal all basetokens in collateral by modifying the DepositRecord address #140
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-254
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/Collateral.sol#L80-L83
Vulnerability details
Impact
Centralization risk - administrators can steal all basetokens in collateral by modifying the DepositRecord address
Proof of Concept
In the
collateral
contract, allow the manager to transferbasetoken
by callingmanagerWithdraw()
But there is a limitation in
managerWithdrawHook.hook
After transferring
basetoken
, the remaining number ofbasetoken
must be greater than the value ofgetMinReserve()
. But here the administrator can temporarily changeDepositRecord
to a new address by bribingSET_DEPOSIT_RECORD_ROLE
. Then the return value ofgetMinReserve()
is 0. Thus administrators can bypass restrictions inhook()
. Steal allbasetoken
in the contract.Tools Used
vscode
Recommended Mitigation Steps
Add time lock or prohibit modification of depositrecord address
The text was updated successfully, but these errors were encountered: