Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-08-POOLTOGETHER-FINDINGS-ISSUES-142
HistoryAug 07, 2023 - 12:00 a.m.

The treasury address can be updated by the contract owner to point to a malicious address after deployment

2023-08-0700:00:00
Code4rena
github.com
5
treasury address
contract owner
malicious address
vulnerability impact
proof of concept
mitigation steps
JSON

Lines of code
<https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.sol#L108-L109&gt;

Vulnerability details

Impact

Any fees or funds sent to the treasury could potentially be stolen or manipulated

Proof of Concept

The treasury address can be updated by the contract owner to point to a malicious address after deployment. This presents a risk as the treasury receives all the deposit fees

The setTreasury function allows the contract owner to update the treasury address. There are no restrictions on what address can be set.
A proof of concept exploit would be:

  1. Deploy the contract with a trusted treasury address
  2. Wait for users to deposit assets and fees to be collected by the treasury
  3. The owner calls setTreasury and sets it to a malicious contract they control
  4. When new fees are collected, they are sent to the malicious contract instead of the intended treasury

Tools Used

Manual

Recommended Mitigation Steps

setTreasury could require a timelock so there is a delay between updating the address and when it takes effect

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

JSON