Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Access control bypass in `_requireIsKeeper` function in `settleBranch.sol` contract

viquetoh

Summary

The requireIsModifier checks allows any caller if the configured keeper address is address(0)) This happens because the check if (sender != keeper && keeper != address(0) only reverts when the keeper is non-zero and doesn't match the sender. If address is address(0), the check is bypassed.

Vulnerability Details

https://github.com/Cyfrin/2025-01-zaros-part-2/blob/35deb3e92b2a32cd304bf61d27e6071ef36e446d/src/perpetuals/branches/SettlementBranch.sol#L565-L570
function _requireIsKeeper(address sender, address keeper) internal pure {
if (sender != keeper && keeper != address(0)) {
revert Errors.OnlyKeeper(sender, keeper);
}
}

Attackers can act as keepers for market with unconfigured keepers.
leading to maliciousactivities within the system.

Impact

The severity is high because any user could perform keeper-only actions, leading to unauthorised operations. This could allow attackers to manipulate the system, stealing funds or causing different harm to the system.

Tools Used

Manual review

Recommendations

Modify the check to be if(sender != address(0), "Keeper not set") and (sender == keeper, "not keeper") this way if keeper is zero, it will revert, and if keeper sender is not keeper it will also revert.

Updates

Lead Judging Commences

inallhonesty Lead Judge
7 months ago
inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
Assigned finding tags:

[INVALID]`_requireIsKeeper` doesn't quite work well

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.