QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Access Control in `setRuleForPool` Function

brene

Summary

The setRuleForPool function lacks proper access control mechanisms. This vulnerability allows unauthorized entities to set rules for pools, potentially leading to unauthorized configurations and manipulation of pool settings.

Vulnerability Details

The setRuleForPool function does not implement any access control checks to verify the caller's identity or authorization level.

function setRuleForPool(IQuantAMMWeightedPool.PoolSettings memory _poolSettings) external {
require(address(rules[msg.sender]) == address(0), "Rule already set");
require(_poolSettings.oracles.length > 0, "Empty oracles array");
require(poolOracles[msg.sender].length == 0, "pool rule already set");
for (uint i; i < _poolSettings.oracles.length; ++i) {
require(_poolSettings.oracles[i].length > 0, "Empty oracles array");
for (uint j; j < _poolSettings.oracles[i].length; ++j) {
if (!approvedOracles[_poolSettings.oracles[i][j]]) {
revert("Not approved oracled used");
}
}
}

The function relies solely on the msg.sender to determine the pool for which the rule is being set. There is no mechanism to restrict who can call this function, allowing any address to potentially set rules for any pool. The comment "Set a rule for a pool, called by the pool" suggests that the function is intended to be called by the pool itself, but this is not enforced by the code

Impact

Malicious actors could set arbitrary rules for pools, leading to potential manipulation of pool behavior.

Tools Used

Manual Review

Recommendations

Introduce access control mechanisms to ensure that only authorized entities can call the setRuleForPool function.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!