Lack of Access Control in configure Function
Summary
The configure function in the MarginCollateralConfiguration library lacks access control mechanisms, allowing any contract to modify critical parameters related to margin collateral. This poses a significant risk, as unauthorized modifications could lead to financial losses and system instability.
Vulnerability Details
The configure function is currently marked as internal, meaning it can be called by any contract that uses the library. However, it does not have any restrictions on who can call it. This means that any contract, even a malicious one, could potentially modify the following parameters:
depositCap: The maximum amount of collateral that can be deposited. Setting this to 0 would effectively disable the collateral type.loanToValue: The ratio used to calculate the maximum loan amount based on the collateral value. Manipulating this could lead to over-leveraged positions and increased risk of liquidation.priceFeed: The address of the price oracle used to determine the collateral's value. Setting this to a compromised or manipulated oracle could result in incorrect valuations and potential losses.
Impact
Attackers could modify the collateral configuration to their advantage, potentially causing significant financial harm to users and the platform.
Tools Used
Manual Review
Recommendations
The simplest and most effective solution is to add the onlyOwner modifier to the configure function. This will ensure that only the owner of the contract can modify the collateral configuration.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.