PrePOMarket.sol : a sender who is not included in the account list can front run and mint prior to setting the _mintHook
#266
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-93
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/PrePOMarket.sol#L65-L74
Vulnerability details
Impact
a sender who is not included in the account list can front run and mint prior to setting the
_mintHook
.Proof of Concept
The contract says,
But, when we look at the mint function, the sender gets validated only if the _mintHook is valid at line 68.
}
The
_mintHook
is not set during the contract deployment. A separate function is used to set it.As soon as the contract is deployed, the user can front run and call the mint function.
Tools Used
Manual review
Recommended Mitigation Steps
set the
_mintHook
in constructor while deploying the contract.revert if '_mintHook' is not set.
The text was updated successfully, but these errors were encountered: