Missing access control in AssetSwapPath.configure()
Summary
The AssetSwapPath.configure() function allows configuring swap paths and strategies for an asset. However, this function lacks proper access control, making it vulnerable to unauthorized calls. A malicious actor could exploit this vulnerability to modify critical swap configurations, leading to incorrect trades, financial losses, or system instability.
Vulnerability Details
Code Analysis
The configure() function is defined as follows:
Key Observations:
No Access Control : The function does not enforce any restrictions on who can call it. If exposed externally or called improperly, it could allow unauthorized users to modify critical swap configurations.
Critical State Modification : The function modifies the
enabledflag,assets, anddexSwapStrategyIdsfields of theAssetSwapPath.Datastruct. These fields are essential for determining swap strategies and paths.Potential Misconfiguration : An attacker could set invalid or malicious swap paths, such as pointing to non-existent or malicious contracts, leading to incorrect trades or losses.
Attack Scenario
An attacker identifies that the
configure()function is callable without restrictions.The attacker calls the
configure()function for a valid asset, settingenabled = falseor providing invalidassetsanddexSwapStrategyIds.The swap strategy for the asset is disabled or misconfigured, causing trades involving the asset to fail or behave incorrectly.
Users attempting to trade the asset experience failures or unexpected behavior, leading to financial losses or system instability.
Impact
Incorrect Trades : Misconfigured swap paths could lead to incorrect trades, resulting in financial losses for users.
Denial of Service : Disabling the swap strategy (
enabled = false) could prevent trades involving the asset, disrupting the system.Loss of Trust : Users may lose confidence in the protocol due to unreliable or malicious swap configurations.
Tools Used
Manual Code Review : Analyzed the
configure()function and its interactions with theAssetSwapPath.Datastruct.Slither : Static analysis tool used to identify missing access control and potential misconfigurations.
MythX : Security analysis platform used to verify vulnerabilities in the smart contract.
Recommendations
Short-Term Fix
Add proper access control to the configure() function to ensure only authorized entities can call it. For example:
Replace authorizedAddress with the appropriate address or role (e.g., admin, governance).
Long-Term Fix
-
Role-Based Access Control (RBAC) : Implement an RBAC system using libraries like OpenZeppelin's
AccessControlto manage permissions for sensitive functions. -
Input Validation : Add validation checks to ensure the
assetsanddexSwapStrategyIdsarrays are valid and consistent.require(assets.length == dexSwapStrategyIds.length, "Mismatched lengths");require(assets[0] == expectedAccessAsset, "Invalid first asset"); -
Event Logging : Emit events whenever the
configure()function is called to provide transparency and enable monitoring.event AssetSwapPathConfigured(address indexed asset, bool enabled, address[] assets, uint128[] dexSwapStrategyIds);function configure(Data storage self,bool enabled,address[] memory assets,uint128[] memory dexSwapStrategyIds) internal onlyAuthorized {require(assets.length == dexSwapStrategyIds.length, "Mismatched lengths");require(assets[0] == expectedAccessAsset, "Invalid first asset");self.enabled = enabled;self.assets = assets;self.dexSwapStrategyIds = dexSwapStrategyIds;emit AssetSwapPathConfigured(self.asset, enabled, assets, dexSwapStrategyIds);}
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.