Lack of Access Control in `batch` function
Summary
The batch function is designed to allow multiple function calls in a single transaction. However, it currently lacks any form of access control, which poses a significant security risk. This can be exploited by unauthorized users to execute arbitrary code, potentially leading to severe consequences such as unauthorized state changes or financial loss.
Vulnerability Details
The batch function uses delegatecall to execute a series of function calls on the contract itself. This mechanism allows for efficient batch processing but also inherits the calling context, which can be dangerous if not properly controlled.
The function is as external, meaning it can be called by anyone. Without restrictions, any user can submit a batch of calls, potentially executing any function within the contract.
Since delegatecall executes code in the context of the calling contract, it can modify the contract's state and access its storage. This can lead to unauthorized modifications if malicious calls are executed.
Impact
This can lead to;
Malicious actors can exploit this function to alter the contract's state in unintended ways, potentially leading to financial loss or disruption of contract operations.
The lack of access control can be leveraged to execute harmful operations, such as draining funds or manipulating contract logic.
Unchecked execution of arbitrary calls can lead to unexpected behavior, affecting the contract's reliability and trustworthiness.
Tools Used
Manual Review
Recommendations
Introduce access control mechanisms to restrict who can call the batch function
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.