`UpliftOnlyExample` - Missing access validation on `onAfterRemoveLiquidity` function
Title
UpliftOnlyExample - Missing access validation on onAfterRemoveLiquidity function
Summary
The onAfterRemoveLiquidity function in the UpliftOnlyExample contract lacks proper authorization checks, relying solely on the onlySelfRouter modifier to validate the sender.
This allows attackers to exploit the function by passing the correct router value, which is fairly easy.
Vulnerability Details
Here's the implementation of onAfterRemoveLiquidity function:
The core issue lies in the flawed logic of the onAfterRemoveLiquidity function. It usess onlySelfRouter(router) modifier, which can be easily passed by providing correct address.
Furthermore, the function does not enforce that the caller must be the Vault contract, which is intended to be the only authorized entity capable of invoking the function. By deploying a malicious address (likely a contract), attackers can exploit this flaw to remove liquidity of other users. This is a serious threat to protocol funds.
Impact
Malicious actors can exploit this vulnerability to remove liquidity positions belonging to other users, potentially resulting in significant fund loss.
Tools Used
Manual Review
Recommendations
To address this issue, update the onAfterRemoveLiquidity function to include strict authorization checks. For example, consider adding onlyVault modifier.
Lead Judging Commences
finding_onAfterRemoveLiquidity_no_access_control_wipe_all_data
Likelihood: High, anyone, anytime. Impact: High, Loss of funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.