Unrestricted Access Control in setCurves Function of FeeSplitter.sol

[c4-bot-6]

Lines of code

https://github.com/code-423n4/2024-01-curves/blob/main/contracts/FeeSplitter.sol#L35

Vulnerability details

Impact

The absence of access control on the setCurves(Curves curves_) function in the FeeSplitter.sol contract presents a significant security risk. This function allows the setting of a new Curves contract instance, which is integral to the operation of the FeeSplitter contract. Since any user can call this function, it opens up the possibility for malicious actors to redirect the contract to a fraudulent Curves contract. This could lead to severe consequences such as misappropriation of funds, incorrect fee calculation and distribution, and overall disruption of the intended functionalities of the FeeSplitter contract within the Curves ecosystem.

Proof of Concept

https://github.com/code-423n4/2024-01-curves/blob/main/contracts/FeeSplitter.sol#L35

The function in question is as follows:

function setCurves(Curves curves_) public {
    curves = curves_;
}

This function lacks any form of access control, making it callable by any external entity.

Tools Used

Manual review

Recommended Mitigation Steps

Modify the setCurves function to include an access control modifier like onlyOwner or onlyManager. This ensures that only authorized addresses can change the Curves contract instance.

Assessed type

Access Control

[c4-pre-sort]

raymondfam marked the issue as sufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #4

[c4-judge]

alcueca changed the severity to 2 (Med Risk)