Unprotected updation of whitelist #107
Labels
bug
Something isn't working
downgraded by judge
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPair.sol#L307
https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPair.sol#L288
Vulnerability details
Impact
FraxlendPair.sol
: Any existing borrower/lender can update the whitelist. This allows them to remove any addresses from the whitelist by setting their_approval
asfalse
. Same for addition of addresses in the whitelist.Proof of Concept
https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPair.sol#L307-L311
https://github.com/code-423n4/2022-08-frax/blob/c4189a3a98b38c8c962c5ea72f1a322fbc2ae45f/src/contracts/FraxlendPair.sol#L288-L292
Tools Used
Manual analysis
Recommended Mitigation Steps
Consider strengthening access control on the functions
setApprovedBorrowers
andsetApprovedLenders
The text was updated successfully, but these errors were encountered: