Anyone can by-pass the `onlyAuthorized` in the `BuyerAgent::oracleStateRequest`,`BuyerAgent::oraclePurchaseRequest` functions
Relevant GitHub Links
https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/llm/LLMOracleCoordinator.sol#L155
https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/BuyerAgent.sol#L174
https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/swan/BuyerAgent.sol#L174
https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/llm/LLMOracleCoordinator.sol#L404
Summary
Anyone can by-pass the onlyAuthorized modifier written in the BuyerAgent::oracleStateRequest and BuyerAgent::oraclePurchaseRequest functions by calling the LLMOracleCoordinator::request function and getting the result using the LLMOracleCoordinator::getBestResponse function by-passing this way also the check made on the phase through the BuyerAgent::_checkRoundPhase.
Vulnerability Details
The vulnerabilty is in the control access of the LLMOracleCoordinator::request function (which has public visibility) with no modifier nor check made on the msg.sender inside it
Impact
Anyone can requeststate and requestpurchase knowing this way the status of the narrative of the buyer agent, or making a purchase request that should only be done by the onlyAuthorized msg.sender.
Moreover, this could be done during any Phase of the purchasing cycle.
Tools Used
Manual review
Recommendations
Write a requirement statement that the msg.sender should be one BuyerAgent contract
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.