managerWithdraw can be called when manager isn't set, wiping all user funds #256
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-b
Q-25
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L80-L83
Vulnerability details
Impact
The
manager
role in Collateral.sol must be set manually. It isn't included in the constructor or initialize functions.It also isn't necessary in order to set the
MANAGER_WITHDRAW_ROLE
.In the case where the
MANAGER_WITHDRAW_ROLE
is set andmanager
is not, the user is able to callmanagerWithdraw()
.This will send all requested funds to the zero address, where they will be irretrievable.
Proof of Concept
manager
isn't set anywhere in the contract except thesetManager
function.There is no requirement that this function must have been called in order to call
managerWithdraw()
.The result is that any call to
managerWithdraw()
beforemanager
is set will destroy all funds.Tools Used
Manual Review
Recommended Mitigation Steps
Add a check in this function that the manager is set before sending funds:
require(manager != address(0), 'manager must be set to send funds');
The text was updated successfully, but these errors were encountered: