-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Input validation concerns in the setHooks function in the HookManager contract #18
Comments
raymondfam marked the issue as insufficient quality report |
raymondfam marked the issue as primary issue |
User's input error is not a protocol threat. Additionally, this will be circumvented via try/catch by claimer.sol: https://github.com/GenerationSoftware/pt-v5-claimer/blob/main/src/Claimer.sol#L192 |
QA is more appropriate. |
hansfriese changed the severity to QA (Quality Assurance) |
hansfriese marked the issue as grade-c |
This previously downgraded issue has been upgraded by hansfriese |
hansfriese removed the grade |
hansfriese changed the severity to QA (Quality Assurance) |
hansfriese marked the issue as grade-c |
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/abstract/HookManager.sol#L29
Vulnerability details
Impact
The setHooks function directly sets user-specified hooks without any validation checks. It's essential to validate that the hooks address provided is a legitimate contract that implements the VaultHooks interface correctly.
Proof of Concept
The provided code snippet for setHooks directly assigns user-provided hooks without any form of validation.
Tools Used
VS code
Recommended Mitigation Steps
To ensure the hooks provided are indeed valid contracts. This can be achieved by using OpenZeppelin's Address utility for contract checks.
import "@openzeppelin/contracts/utils/Address.sol";
function setHooks(VaultHooks calldata hooks) external {
require(Address.isContract(address(hooks)), "Hooks must be a valid contract");
_hooks[msg.sender] = hooks;
emit SetHooks(msg.sender, hooks);
}
It is crucial for DeFi protocols, especially those involving value transfer and external contract interactions like PoolTogether, to rigorously validate user inputs and external contract references to safeguard against vulnerabilities and ensure system robustness.
Assessed type
Access Control
The text was updated successfully, but these errors were encountered: