The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

The onlyManager modifier is used in the contract, but there's no clear mechanism for updating the manager address, and there's no strict access control for critical functions.

0xVinylDavyl

Summary

The onlyManager modifier is used in the contract, but there's no clear mechanism for updating the manager address, and there's no strict access control for critical functions.

Vulnerability Details

The LiquidationPool contract uses the onlyManager modifier to restrict access to certain functions, ensuring that only the manager can invoke them. However, the setManager function, which allows the owner to update the manager address, does not have a secure mechanism for managing this update. The absence of additional security checks or multi-signature authentication in the setManager function exposes the contract to potential vulnerabilities.

modifier onlyManager {

require(msg.sender == manager, "err-invalid-user");

}

function setManager(address _newManager) external onlyOwner {

manager = payable(_newManager);

}

Impact

Without proper access control and security checks in the setManager function, unauthorized users may exploit this vulnerability, potentially leading to unauthorized changes in the manager address. This could result in unintended access to critical functions and manipulation of the contract state.

Tools Used

Vs Code / Manual

Recommendations

Implementing these recommendations, the contract can establish robust access controls and improve overall security by preventing unauthorized access to critical functions. Thorough testing is essential to validate the correctness and security of the updated contract.

To address the lack of access control and enhance security, the following recommendations are provided:

Strict Access Control:
- Implement strict access control mechanisms for critical functions to ensure that only authorized users, such as the manager, can execute them. This involves using modifiers or access control checks within the function logic.
modifier onlyManager {
require(msg.sender == manager, "err-invalid-user");
_;
}
Apply the onlyManager modifier to critical functions to restrict access.

function criticalFunction() external onlyManager {
// Existing function logic...
}
Secure Manager Update:
- Enhance the security of the setManager function by adding additional checks or requiring multi-signature authentication to update the manager address. This ensures that only authorized entities can modify the manager.
function setManager(address _newManager) external onlyOwner {
// Additional security checks or multi-signature authentication
manager = payable(_newManager);
}

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.