Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: high

Insecure Key Management liable to attack

0xVinylDavyl

Summary

The contract includes hard-coded key values and sensitive addresses, which could lead to unauthorized access and compromise of sensitive functionalities.

Vulnerability Details

The contract uses hard-coded addresses for sensitive roles and keys. Storing sensitive information directly in the contract's source code poses a security risk, as these values can be easily discovered and exploited by attackers.

// Vulnerable Code: Insecure Key Management

address public stadiumAddress = makeAddr("stadium");

address public factoryAdmin = makeAddr("factoryAdmin");

address public tokenMinter = makeAddr("tokenMinter");

address public organizer = address(11);

address public sponsor = address(12);

address public supporter = address(13);

address public user1 = address(14);

address public user2 = address(15);

address public user3 = address(16);

Impact

Insecure key management increases the risk of unauthorized access to sensitive functionalities and addresses. Attackers can potentially gain control over the contract's behavior, leading to unauthorized actions and potential financial losses.

Tools Used

Manual

Recommendations

Avoid hard-coding sensitive addresses and keys directly into the contract source code.
Implement a secure and decentralized method for managing sensitive addresses and keys, such as utilizing access control mechanisms like OpenZeppelin's AccessControl contract or utilizing a decentralized identity management solution.

// Recommended Code: Secure Key Management

// Implement a role-based access control mechanism using OpenZeppelin's AccessControl contract.

import "@openzeppelin/contracts/access/AccessControl.sol";

contract MyContract is AccessControl {

bytes32 public constant FACTORY_ADMIN_ROLE = keccak256("FACTORY_ADMIN_ROLE");

bytes32 public constant TOKEN_MINTER_ROLE = keccak256("TOKEN_MINTER_ROLE");

bytes32 public constant ORGANIZER_ROLE = keccak256("ORGANIZER_ROLE");

bytes32 public constant SPONSOR_ROLE = keccak256("SPONSOR_ROLE");

bytes32 public constant SUPPORTER_ROLE = keccak256("SUPPORTER_ROLE");

bytes32 public constant USER_ROLE = keccak256("USER_ROLE");

constructor() {

_setupRole(DEFAULT_ADMIN_ROLE, msg.sender);

}

modifier onlyFactoryAdmin() {

require(hasRole(FACTORY_ADMIN_ROLE, msg.sender), "AccessControl: Only factory admin");

}

modifier onlyTokenMinter() {

require(hasRole(TOKEN_MINTER_ROLE, msg.sender), "AccessControl: Only token minter");

}

// Add more modifier functions for other roles...

// The rest of your contract functions...

}

More Details
Utilize OpenZeppelin's AccessControl contract to implement a role-based access control mechanism. Define role constants and set up role-based modifiers for various contract functionalities. By doing so, you can securely manage and control access to sensitive functionalities and addresses without exposing hard-coded values in the contract's source code.

By following this recommendation, you can significantly enhance the security of key management within your contract, reducing the risk of unauthorized access and compromising sensitive functionalities.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.