First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

There should be a method to revoke a rogue signer

happyformerlawyer

Summary

The setSigner function is a one way function that allows you to enable permission for a given signer but there is no way to revoke that permission in the event that the signer goes rogue or that a third party gets access to that signer's private keys.

Vulnerability Details

setSigner lets you give permission but there is no way to revoke it:

function setSigner(address account, bool enabled) external onlyOwner {

signers[account] = enabled;

}

Impact

If a signer goes rogue or a malicious third party gets access to a signer's keys, it could lead to stolen funds or interfere with the expected operation of the bridge (e.g., if the signer refuses to sign withdrawals).

Tools Used

Manual review

Recommendations

You should add a function to revoke signer addresses. Here is the function I recommend:

function removeSigner(account address) external onlyOwner {

signers[account] = false;}

Updates

Lead Judging Commences

0xnevi Lead Judge

about 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.