No proper access control, any address can potentially update this critical parameter, leading to unauthorized modifications and security breach.
Summary
The setExtraArgs function in the SDLPoolCCIPControllerSecondary.sol contract lacks a proper access control check, potentially allowing any address to modify the extraArgs. To address this vulnerability, it is recommended to implement access controls in the setExtraArgs function, ensuring that only the contract owner can update this critical parameter. I provided code snippet demonstrating the suggested mitigation step by introducing an onlyOwner modifier to restrict access to authorized addresses.
Vulnerability Details
SDLPoolCCIPControllerSecondary.sol contract that highlights the lack of access control in the setExtraArgs function:
In the contract, the onlyOwner modifier is applied to the setExtraArgs function. However, it's important to note that the onlyOwner modifier is not defined in the provided snippet, and its absence implies that the access control check is missing. Addressing this vulnerability, you should add the onlyOwner modifier to the SDLPoolCCIPControllerSecondary.sol contract. As suggested:
Impact
The setExtraArgs function currently lacks a proper check to ensure that only the contract owner can modify the extraArgs. Without proper access control, any address can potentially update this critical parameter, leading to unauthorized modifications and potential security breach.
Tools Used
Manual
Recommendations
Implement an access control modifier in the setExtraArgs function to ensure that only the contract owner has the authority to update the extraArgs. This can be achieved by adding a modifier like onlyOwner to the function.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.