Owner can set it self manager to steal funds #458
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-377
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Comments
code423n4
added
2 (Med Risk)
|
We are aware of the centralization risks, initially, all contracts will have a multi-sig as owner to prevent a sole owner, later on a DAO could be the owner. |
|
TriHaz marked the issue as sponsor acknowledged |
c4-sponsor
added
the
sponsor acknowledged
|
GalloDaSballo marked the issue as duplicate of #377 |
|
GalloDaSballo marked the issue as satisfactory |
c4-judge
added
the
satisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/BondNFT.sol#L366-L370
Vulnerability details
Impact
owner can steal funds
Proof of Concept
owner can steal funds by setting itself manager and owner will be able to use
onlymanager()function like claim on this amount will be sent to manager rather than bond.owner.Tools Used
vs code
Recommended Mitigation Steps
add check so owner cannot set itself manager or make sure user provided address is a contract rather than wallet address
The text was updated successfully, but these errors were encountered: