Lack of Transfer Restrictions for CurrencyManager
Issue: The CurrencyManager contract manages a list of whitelisted currencies, but there are no checks on the actual transfers for these currencies within MembershipFactory. This could allow unintended currencies to be transferred or approved to unauthorized addresses.
Exploit:
A malicious actor could add an unapproved currency through another function or exploit a vulnerability to bypass CurrencyManager, making unauthorized transactions with unsupported currencies.
-
POC:
// Transfers could be made with unapproved currencies if CurrencyManager is bypassed.function addCurrency(address currency) external onlyRole(ADMIN_ROLE) {// Missing restrictions for unauthorized currency transfers.}
Impact: Unauthorized currencies or incorrect values could be used in the system, potentially causing misconfigurations or enabling malicious transactions with incorrect currencies.
Tools used : VSC, Github
Recommendation: Use CurrencyManager to enforce checks on all currency transfers or approvals in the MembershipFactory to ensure only whitelisted currencies are utilized
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.