Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

admin can set marketplace to malicious address #306

Closed
code423n4 opened this issue Jun 26, 2022 · 2 comments
Closed

admin can set marketplace to malicious address #306

code423n4 opened this issue Jun 26, 2022 · 2 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists invalid This doesn't seem right

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-06-illuminate/blob/3ca41a9f529980b17fdc67baf8cbee5a8035afab/lender/Lender.sol#L145

Vulnerability details

Impact

admin could setMarketPlace() with a malicious contract that is upgradeable or doesn't contain the correct address for the fixed rate markets, leading to user funds being lost or stolen.

Proof of Concept

admin can set marketPlace to any address.
https://github.com/code-423n4/2022-06-illuminate/blob/3ca41a9f529980b17fdc67baf8cbee5a8035afab/redeemer/Redeemer.sol#L70-L76

    function setMarketPlace(address m) external authorized(admin) returns (bool) {
        if (marketPlace != address(0)) {
            revert Exists('marketplace');
        }
        marketPlace = m;
        return true;
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Only allow whitelisted marketPlace addresses that can legitimately be used to fetch the addresses of all the fixed rate markets.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jun 26, 2022
code423n4 added a commit that referenced this issue Jun 26, 2022
@code423n4
hake issue #306
523cb65
@KenzoAgada
Copy link

KenzoAgada commented Jun 28, 2022
edited
Loading

And who will set the whitelisted marketplace addresses...?

@sourabhmarathe sourabhmarathe added disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue labels Jun 28, 2022
@sourabhmarathe
Copy link
Collaborator

sourabhmarathe commented Jun 28, 2022
edited
Loading

Duplicate of #316.

@sourabhmarathe sourabhmarathe added sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons and removed sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue labels Jun 30, 2022
@JTraversa JTraversa added duplicate This issue or pull request already exists and removed sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons labels Jul 6, 2022
@gzeoneth gzeoneth added the invalid This doesn't seem right label Jul 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sourabhmarathe @JTraversa @code423n4 @gzeoneth @KenzoAgada