Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dandy Caramel Tortoise - Attacker can revoke any user from a market #37

Open
sherlock-admin2 opened this issue Dec 10, 2024 · 1 comment
Open

Dandy Caramel Tortoise - Attacker can revoke any user from a market #37

sherlock-admin2 opened this issue Dec 10, 2024 · 1 comment
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin2
Copy link

Dandy Caramel Tortoise

Medium

Attacker can revoke any user from a market

Summary

Lack of access control in revokeLender allows an attacker to revoke any participant from a market

Root Cause

The delegation version of the revokeLender function fails to perform any access control checks allowing any user to revoke any user

    function _revokeStakeholderViaDelegation(
        uint256 _marketId,
        address _stakeholderAddress,
        bool _isLender,
        uint8 _v,
        bytes32 _r,
        bytes32 _s
    ) internal {
        bytes32 uuid = _revokeStakeholderVerification(
            _marketId,
            _stakeholderAddress,
            _isLender
        );
        // NOTE: Disabling the call to revoke the attestation on EAS contracts
        //        address attestor = markets[_marketId].owner;
        //        tellerAS.revokeByDelegation(uuid, attestor, _v, _r, _s);
    }

Internal pre-conditions

Attestation should be enabled to observe the impact

External pre-conditions

No response

Attack Path

  1. Attacker calls revokeLender by passing in any address they wish to revoke from the market

Impact

Attacker can revoke any address they wish from any market making the market unuseable

PoC

No response

Mitigation

Perform access control checks
@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Dec 12, 2024
@sherlock-admin2
Copy link
Author

The protocol team fixed this issue in the following PRs/commits:
teller-protocol/teller-protocol-v2-audit-2024#77

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3