Skip to content

Latest commit

 

History

History
67 lines (41 loc) · 2.45 KB

091.md

File metadata and controls

67 lines (41 loc) · 2.45 KB

Mythical Burgundy Puppy

High

[Critical] Attacker Can Arbitrarily Modify downsideProtected, Causing Financial Imbalance for the Protocol

Summary

Unrestricted access to the updateDownsideProtected function will cause financial imbalance for the protocol as any user can arbitrarily modify the downsideProtected amount.

Root Cause

In CDS.sol:828-831, the updateDownsideProtected function lacks access control modifiers, allowing any external account to invoke it without restrictions.

Internal pre-conditions

Any user needs to call the updateDownsideProtected(uint128 downsideProtectedAmount) function to set downsideProtected to any desired value.

External pre-conditions

There are no specific external pre-conditions required to exploit this vulnerability.

Attack Path

  1. An attacker (any external user) calls the updateDownsideProtected(uint128 downsideProtectedAmount) function with an arbitrary downsideProtectedAmount.
  2. The function updates the downsideProtected state variable without any authorization checks.
  3. The arbitrary update disrupts the totalCdsDepositedAmount, potentially affecting the protocol's financial calculations and user withdrawals.

Impact

The protocol suffers an arbitrary manipulation of the downsideProtected amount, leading to inaccurate financial balances and potential loss or misallocation of funds. This can undermine user trust and the overall stability of the Autonomint protocol.

PoC

// SPDX-License-Identifier: MIT
pragma solidity 0.8.22;

// Interface to interact with the vulnerable CDS contract
interface ICDS {
    function updateDownsideProtected(uint128 downsideProtectedAmount) external;
}

contract AttackCDS {
    ICDS public cds;

    constructor(address _cdsAddress) {
        cds = ICDS(_cdsAddress);
    }

    // Function to exploit the vulnerability by arbitrarily setting downsideProtected
    function exploit(uint128 maliciousAmount) public {
        cds.updateDownsideProtected(maliciousAmount);
    }
}

Mitigation

Restrict Access:

Apply appropriate access control modifiers to ensure that only authorized roles (e.g., admin) can invoke the updateDownsideProtected function.

Implement Role-Based Access Control (RBAC):

Utilize OpenZeppelin's AccessControlUpgradeable to manage roles more granularly, reducing the risk of single-point failures.