Lines of code
Vulnerability details
Impact
This is a failure in setting up access control. Anyone could set the vault address to their address and call the mint/burn function to mint and burn vault tokens.
<https://github.com/code-423n4/2023-03-polynomial/blob/30be22e965b0fdaa64fb30a6fc6d358e40baff8b/src/VaultToken.sol#L35-L40>
The impact is severe since all the funds in Kangaroo vault can be withdrawn by anyone.
Proof of Concept
- The malicious account set the vault address to his account address using VaultToken.setVault.
<https://github.com/code-423n4/2023-03-polynomial/blob/30be22e965b0fdaa64fb30a6fc6d358e40baff8b/src/VaultToken.sol#L35-L40>
- He can burn all other usersβ VaultTokens and mint a significantly large amount of VaultTokens to his account. He can do that since his account is the vault now.
<https://github.com/code-423n4/2023-03-polynomial/blob/30be22e965b0fdaa64fb30a6fc6d358e40baff8b/src/VaultToken.sol#L27-L33>
- He can call KangarooVault.initiateWithdrawal to withdraw all sUSD from Kangaroo Vault (He could wait until there is no position in the vault to instantly withdraw all or wait after the delay time to proceed with the withdrawal).
<https://github.com/code-423n4/2023-03-polynomial/blob/30be22e965b0fdaa64fb30a6fc6d358e40baff8b/src/KangarooVault.sol#L215-L239>
Tools Used
Manual
Recommended Mitigation Steps
Add a modifier so that only the owner can call the setVault function. For example, use the ownership package from OpenZeppelin.
- function setVault(address _vault) external {
+ function setVault(address _vault) external onlyOwner {
<https://github.com/code-423n4/2023-03-polynomial/blob/30be22e965b0fdaa64fb30a6fc6d358e40baff8b/src/VaultToken.sol#L35>
The text was updated successfully, but these errors were encountered:
All reactions