Unprotected setVault function from VaultToken.sol can be frontrun to set the attacker controlled vault address. Once attacker controlled vault address is set as a vault, attacker can mint large amount of tokens for himself and also able to burn other users tokens.
function setVault(address _vault) external {
if (vault != address(0x0)) {
revert();
}
vault = _vault;
}
Since there is no other way to set the vault address to protocolβs vault, protocol have to redeploy VaultToken contract.
Manual Review
Since setting vault is critical functionality, we recommend to use private relay like flashbot to mine such transaction OR to use some kind of governance control / access control to such functions.
The text was updated successfully, but these errors were encountered:
All reactions