Skip to content

Latest commit

 

History

History
85 lines (66 loc) · 2.91 KB

009.md

File metadata and controls

85 lines (66 loc) · 2.91 KB

Low Tangerine Cod

High

All admin function can be ddosed

Summary

executeSetterFunction is not restricted

Root Cause

Whevener there is an admin function call, there is a check that enought signers approved it, e.x.:

    function setTreasury(address _treasury) external onlyAdmin {
        // Check whether the input address is not a zero address and EOA
        if (_treasury == address(0) || !isContract(_treasury)) revert CDS_CantBeEOAOrZeroAddress(_treasury);
        // Check whether, the function have required approvals from owners to set
        if (!multiSign.executeSetterFunction(IMultiSign.SetterFunctions(6))) revert CDS_RequiredApprovalsNotMetToSet();
        treasuryAddress = _treasury;
        treasury = ITreasury(_treasury);
    }

contracts/Core_logic/CDS.sol#L573

executeSetterFunction doesn't implement restriction to who can call it, and invalidates all approves signes,

    function executeSetterFunction(
        SetterFunctions _function
    ) external returns (bool) {
        // Get the number of approvals
        require(getSetterFunctionApproval(_function) >= requiredApprovals,"Required approvals not met");
        // Loop through the approved functions with owners mapping and change to false
        for (uint64 i; i < noOfOwners; i++) {
            approvedToUpdate[_function][owners[i]] = false;
        }
        return true;
    }

There are 8 different rates per second defined in the code. This indicates that the admin is likely to adjust the project's parameters frequently to ensure the stability of the protocol.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. owner/signers approve something
  2. The attacker invalidates it.

Impact

Ddos all admin functions e.x. APR, ratePerSec will not be able to be changed, but in whitepaper there is:

For the initial few years, the Protocol parameters will be handled by our core team to ensure stablecoin peg is maintained with appropriate incentives created. We will automate most of the parameters over the course of this stabilization period in order to achieve an equilibrium state where the protocol runs smoothly

Therefore, it is crucial that the parameters remain adjustable

PoC

No response

Mitigation

    function executeSetterFunction(
        SetterFunctions _function
-    ) external returns (bool) {
+    ) external returns onlyCoreContracts (bool) {
        // Get the number of approvals
        require(getSetterFunctionApproval(_function) >= requiredApprovals,"Required approvals not met");
        // Loop through the approved functions with owners mapping and change to false
        for (uint64 i; i < noOfOwners; i++) {
            approvedToUpdate[_function][owners[i]] = false;
        }
        return true;
    }