Unauthorized Boost Update in updateUserBoost Function
Summary
The updateUserBoost function allows anyone to update the boost value for any user in a specific pool. There is no access control mechanism in place to restrict who can call this function, potentially leading to unauthorized modifications of user boosts.
Vulnerability Details
The function updateUserBoost(address user, address pool) is publicly accessible without any restrictions on the caller. This means that any external account or contract can call this function and modify the boost values of any user in any supported pool. The lack of an onlyOwner, onlyAdmin, or onlyAuthorized modifier allows unrestricted access, which can be exploited for manipulation.
Impact
Malicious actors can artificially inflate or reduce the boost values of users, potentially affecting rewards distribution and pool calculations.
Tools Used
Manual code review
Recommendations
-
Implement Access Control: Restrict access to this function using an appropriate modifier, such as:
modifier onlyAuthorized() {require(msg.sender == owner || isAuthorized[msg.sender], "Not authorized");_;}Apply this modifier to
updateUserBoostto ensure only authorized users can call it.
Lead Judging Commences
BoostController::updateUserBoost lacks caller validation, allowing anyone to force delegation of any user's boost to any pool without consent, hijacking voting power
BoostController::updateUserBoost lacks caller validation, allowing anyone to force delegation of any user's boost to any pool without consent, hijacking voting power
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.