The downside protected amount can be updated by any external user in CDS.sol

Title: The downside protected amount can be updated by any external user

Location: updateDownsideProtected function

Vulnerable Code:

function updateDownsideProtected(uint128 downsideProtectedAmount) external {
     downsideProtected += downsideProtectedAmount;
 }

Impact: The protected downside amount can be modified by any user. This means that a malicious external user can manipulate how much the downside protection amount is. This protected downside amount can be increased or decreased as the malicious caller sees fit.

Proof Of Concept (POC): I have created an attack POC as follows.

forge test -vvvvv --match-test test_sherlock

function test_sherlock() public { 
// Impersonate a user maliciously.
address malificent = address(0xfeefdeef);
vm.startPrank(malificent);
// Call the function maliciously.
cds.updateDownsideProtected(downsideProtectedAmount);
vm.stopPrank();
}

Tools used: Manual review

Mitigation: To mitigate this issue and option would be to add the onlyGlobalOrLiquidationContract or onlyOwner access modifier like so.

+ function updateDownsideProtected(uint128 downsideProtectedAmount) external onlyGlobalOrLiquidationContract {
- function updateDownsideProtected(uint128 downsideProtectedAmount) external {
     downsideProtected += downsideProtectedAmount;
 }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

082.md

082.md

The downside protected amount can be updated by any external user in CDS.sol

Files

082.md

Latest commit

History

082.md

File metadata and controls

The downside protected amount can be updated by any external user in CDS.sol