Everyone can call ```SettlementBranch::fillMarketOrder``` and ```SettlementBranch::fillOffchainOrders``` if the ```keeper``` address is set to 0x
Summary
The SettlementBranch::_requireIsKeeper function is intended to restrict certain actions to a designated keeper address. However, the current implementation allows anyone to perform actions reserved for the keeper when no keeper is explicitly set (keeper set to 0x address). This behavior stems from the logical condition used to enforce the restriction, which inadvertently permits unrestricted access in the absence of a designated keeper.
Vulnerability Details
The vulnerability lies in the logic of the SettlementBranch::_requireIsKeeper function, specifically in the condition
if (sender != keeper && keeper != address(0)).
This condition reverts the transaction only if the sender is not the keeper and a keeper is set (i.e., the keeper address is not the zero address). However, if the keeper address is set to the zero address (indicating no keeper is designated), the condition does not revert, allowing anyone to call functions intended to be restricted to the keeper.
Impact
If the keeper address is set to the zero address (indicating no keeper is designated), the condition does not revert, allowing anyone to call the SettlementBranch::fillMarketOrder and SettlementBranch::fillOffchainOrders functions.
Tools Used
Manua review
Recommendations
Change the SettlementBranch::_requireIsKeeper function in this way:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.