Anyone Can Register As A Pool
Summary
In UpdateWeightRunner there is a function setRuleForPool which should be called by a pool for registering the pool. However, currently there is no access control on this function and anyone can call it and register their address or their contract's address as a legit pool.
Vulnerability Details
Anyone can call setRuleForPool which will register their contract as a real pool on the UpdateWeightRunner contract's storage.
This will lead to problems in:
calculateMultiplierAndSetWeightsFromRuleshould not be called by anyone else except rules. When everyone is able to register a rule this does not work.As stated in
InitialisePoolLastRunTime,setWeightsManuallyandsetIntermediateValuesManually"Current breakglass settings allow pool creator trigger. This is subject to review". Currently when everyone can set register a pool/rule these breakglass settings are callable by everyone.
Impact
Malicious calls to the functions listed above. All four functions are connected to important settings that should not be callable by everyone.
Tools Used
Manual Review
Recommendations
Implement a whitelist for pools and add such a check in the setRuleForPool function thus blocking everyone from registering their own contract as a pool.
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.