Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2021-07-SPARTAN-FINDINGS-ISSUES-109
HistoryJul 21, 2021 - 12:00 a.m.

Deployer backdoors in DAOVault, Router and SynthVault contracts

2021-07-2100:00:00
Code4rena
github.com
8
JSON

Handle

0xRajeev

Vulnerability details

Impact

The contracts use an access control pattern where the contract deployer is included in the onlyDAO modifier which is used for authorized access to critical functions. Such contracts also include a purgeDeployer function which renounces (sets to zero-address) the deployer address and is expected to be called by deployer/DAO when the DAO is stable/final so that deployer no longer has access to critical functions.

However, DAOVault, SynthVault and Router contracts are missing such a purgeDeployer function to remove deployer from this access control list. As a result, contract deployer has a perpetual backdoor authorization (may be perceived as such) to those critical functions at all times. E.g.: Deployer has access to the withdraw function in DAOVault which can be used to trigger withdrawals of any member arbitrarily. Similarly, deployer can change critical parameters of Router and SynthVault contracts at any time.

#Proof of Concept

<https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/DaoVault.sol#L68&gt;

<https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Router.sol#L23-L27&gt;

<https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Router.sol#L332-L345&gt;

<https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/synthVault.sol#L29-L33&gt;

<https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/synthVault.sol#L81-L85&gt;

purgeDeployer in other contracts:

<https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/BondVault.sol#L49-L52&gt;

<https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Dao.sol#L136-L139&gt;

<https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/poolFactory.sol#L39-L42&gt;

<https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/synthFactory.sol#L31-L34&gt;

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add purgeDeployer to above listed three contracts. If not, document why it is not necessary.

The text was updated successfully, but these errors were encountered:

All reactions

JSON