DittoETH

Ditto
DeFiFoundryOracle
55,000 USDC
View results
Submission Details
Severity: high
Invalid

Privileged administrator function lacks access control

Summary

Access Control issues are common in all programs, not just smart contracts. One usually accesses a contract's functionality through its public or external functions.

Vulnerability Details

Access Control issues are common in all programs, not just smart contracts. One usually accesses a contract's functionality through its public or external functions.

The consequences of neglecting access control can be disastrous. Without proper checks, unauthorized users can gain unrestricted access to sensitive functionalities, such as minting or burning tokens, altering critical contract parameters, or even transferring ownership. This unrestricted access can lead to unauthorized creation or destruction of tokens, theft of user funds, or manipulation of contract behavior.

Access controls define the restrictions around privileges and roles of users in an application. Access control in smart contracts can be related to governance and critical logic like minting tokens, voting on proposals, withdrawing funds, pausing and upgrading the contracts, changing ownership, etc.

Missed Modifier Validations — It is important to have access control validations on critical functions that execute actions like modifying the owner, transfer of funds and tokens, pausing and unpausing the contracts, etc. Missing validations either in the modifier or inside require or conditional statements will most probably lead to compromise of the contract or loss of funds.

Access control vulnerabilities have high exploitation potential. Malicious actors actively search for contracts with weak or absent access controls to exploit them for personal gain. Once a vulnerability is discovered, the attacker can execute unauthorized operations, manipulate contract state, drain funds, or even take full control of the contract.

Impact

Access control is a fundamental security principle that governs who can perform specific actions within a smart contract. Proper access control ensures that only authorized entities can execute sensitive operations or modify critical data. However, when access control mechanisms are improperly implemented or omitted entirely, vulnerabilities emerge.

The issue is with ERC1155 that allowances are unlimited. There is only a setApprovalForAll function which grants the operator unlimited access to a user's tokens. This doesn't allow limited allowances (like in ERC20) which reduce the risk of draining for users.

Tools Used

Manual code review

Recommendations

Implementing proper access control mechanisms involves using modifiers, conditionals, or external role-based contracts to restrict function execution to authorized entities.

Always specify a modifier for functions.

To fix this issue, you should use the onlyowner modifier to restrict access to the function so that only the current owner can call it.

modifier onlyowner {
require(msg.sender == owner);
_;
}
function setApprovalForAll(address operator, bool approved) external onlyowner {
Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.