Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

DoS for functions from SystemConfig and TokenManager, with onlyOwner modifiers

radin100

Summary

When owner of SystemConfig or TokenManager manages to execute onlyOwner funciton, he is going to face OwnableUnauthorizedAccount revert, due to owner rights belongs to TadleFactory, but not to him

Vulnerability Details

As we know, the contracts from SystemConfig.sol and TokenManager.sol are going to be deployed as logic contracts and the main contracts for users and owner interactions will be proxies deployed by TadleFactory. However as we can see from Rescuable ownable logic, which is inherited by SystemConfig and TokenManager, the ownership of the deployed contracts goes to the deployer. So the owner of the logic contracts will be the deployer and the owner of the proxies will be TadleFactory, which is not expected based on the missing logic in TadleFactoryto interact with any of the proxies.

Impact

Core functionality broke, DoS for all functions with onlyOwner modifier

Tools Used

Manual review

Recommendations

contract TadleFactory is Context, ITadleFactory {

....

function deployUpgradeableProxy(

uint8 _relatedContractIndex,

address _logic,

bytes memory _data

) external onlyGuardian returns (address) {

/// @dev the logic address must be a contract

if (!_logic.isContract()) {

revert LogicAddrIsNotContract(_logic);

}

/// @dev deploy proxy

UpgradeableProxy _proxy = new UpgradeableProxy(

_logic,

guardian,

address(this),

_data

);

+ address(_proxy).transferOwnership(msg.sender);

relatedContracts[_relatedContractIndex] = address(_proxy);

emit RelatedContractDeployed(_relatedContractIndex, address(_proxy));

return address(_proxy);

}

Updates

Lead Judging Commences

0xnevi Lead Judge

about 1 year ago

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[invalid] finding-Rescuable-initializeOwner-lack-access-control

Aside from `Rescuable.sol` being OOS, this is invalid based on codehawks guidelines regarding unprotected initializers. Additionally, this should be called concurrently when deploying a new proxy, but this submissions does not identify that particular issue of an uninitialized owner for proxy contracts

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.