Unauthorized modifications of user balances and bad debt counters due to lacks proper access control measures
Summary
The fixUser function in the MErc20DelegateFixer contract lacks proper access control measures, allowing any address to call the function. This oversight can potentially lead to unauthorized modifications of user balances and bad debt counters.
Vulnerability Details
The vulnerability arises from the absence of access control mechanisms in the fixUser function, which should only be callable by authorized entities. As a result, any address can call this function and perform operations that may impact user balances and bad debt counters.
Impact
The lack of access control in the fixUser function exposes the contract to:
Unauthorized callers could manipulate user balances, potentially causing financial losses for affected users.
Improper liquidation of accounts could occur, leading to disruption of user activities and protocol operations.
Artificial inflation of bad debt counters may occur, undermining the integrity of the protocol's accounting system and financial health.
Tools Used
Manual Review
Recommendations
Implementing access control mechanisms such as role-based access control (RBAC). This would restrict the invocation of sensitive functions like fixUser to authorized entities only, enhancing the security and integrity of the protocol.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.