First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Access Control in getTokenAddressFromSymbol(), allowing anybody to call it

azmaeengh

Summary

The getTokenAddressFromSymbol in TokenFactory contract does not have any access control, which means that it can be called by any external entity.

Vulnerability Details

This could potentially lead to privacy issues, as anyone could call this function to get the address of a token.

Impact

If the token address becomes public without proper access control, it can lead to several vulnerabilities:

Token Address Exposure: The getTokenAddressFromSymbol function returns the address of a token given its symbol. If an attacker knows the symbol of a token, they could potentially use this function to find the address of the token. This could be used for malicious activities like front-running or other attacks.
Token Manipulation: If an attacker can predict the address of a token (for example, if the token address is derived from a predictable pattern), they could potentially manipulate the token. For example, they could send tokens to the address before it's assigned to the actual owner, effectively stealing the tokens.

Tools Used

Recommendations

To restrict access to this function, you could make it internal or private. These visibility specifiers restrict the function to be only callable from within the contract itself. However, if you need to expose this function to external entities, you could add a modifier to restrict who can call it.

For example, you could add an onlyOwner modifier to restrict access to the owner of the contract:

function getTokenAddressFromSymbol(string memory symbol) public view onlyOwner returns (address addr) {

return s_tokenToAddress[symbol];

}

In this example, only the owner of the contract can call the getTokenAddressFromSymbol function. If any other address tries to call this function, the transaction will fail.

Alternatively, if you want to allow any address to call this function, but you want to ensure that the function can only be called when certain conditions are met, you could add a require statement:

function getTokenAddressFromSymbol(string memory symbol) public view returns (address addr) {

+ require(msg.sender == owner, "message for the require");

return s_tokenToAddress[symbol];

}

In this example, any address can call the getTokenAddressFromSymbol function, but the function will revert the transaction if the caller is not the owner of the contract.
You can change the above two however you see fit.

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.