The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

The vault owner can bypass the restriction to change the owner of the vault

djxploit

Summary

The function setOwner in SmartVaultV3.sol has a modifier onlyVaultManager that allows only Vault manager to change the owner of the Vault. Even the owner of the vault can't change the owner.
This restriction can be bypassed, by using the inherent transferFrom function of SmartVaultManagerV5.sol to transfer the Vault NFT to some other target address.
After the transfer if we check the owner of the Vault, we will see that it is changed to the target address.

A hardhat test is shown below to confirm this vulnerability

Vulnerability Details

Here is test to bypass the setOwner restriction for changing the owner of the Vault.

it('bypass change owner restriction', async () => {
const own = await Vault.connect(user).owner();
console.log("Owner address : ", own);
console.log("Token ID : ", tID);
await VaultManager.connect(user).transferFrom(user.address, target.address, tID);
const own2 = await Vault.connect(user).owner();
console.log("Owner address after: ", own2);
});

Impact

A user is able to bypass the restriction placed on vaults for changing the owner

Tools Used

Manual review

Recommendations

Override transferFrom and safetransferFrom functions of SmartVaultManagerV5.sol to protect anyone other than the vaultmanager from changing vault owner.

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!