Unrestricted Access Control in setCurves Function of FeeSplitter.sol #64
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-4
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-01-curves/blob/main/contracts/FeeSplitter.sol#L35
Vulnerability details
Impact
The absence of access control on the setCurves(Curves curves_) function in the FeeSplitter.sol contract presents a significant security risk. This function allows the setting of a new Curves contract instance, which is integral to the operation of the FeeSplitter contract. Since any user can call this function, it opens up the possibility for malicious actors to redirect the contract to a fraudulent Curves contract. This could lead to severe consequences such as misappropriation of funds, incorrect fee calculation and distribution, and overall disruption of the intended functionalities of the FeeSplitter contract within the Curves ecosystem.
Proof of Concept
https://github.com/code-423n4/2024-01-curves/blob/main/contracts/FeeSplitter.sol#L35
The function in question is as follows:
This function lacks any form of access control, making it callable by any external entity.
Tools Used
Manual review
Recommended Mitigation Steps
Modify the setCurves function to include an access control modifier like onlyOwner or onlyManager. This ensures that only authorized addresses can change the Curves contract instance.
Assessed type
Access Control
The text was updated successfully, but these errors were encountered: