Skip to content

Latest commit

 

History

History
51 lines (32 loc) · 1.27 KB

055.md

File metadata and controls

51 lines (32 loc) · 1.27 KB
Raw

Petite Pewter Orangutan

High

No access control on setCollateralEscrowBeacon

Summary

CollateralManager::setCollateralEscrowBeacon can be called by anyone.

Root Cause

No response

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

An attacker can set the escrow beacon and drain funds. As we can see it has reinitializer, which means it can be changed.

PoC

CollateralManager::setCollateralEscrowBeacon

    /**
     * @notice Sets the address of the Beacon contract used for the collateral escrow contracts.
     * @param _collateralEscrowBeacon The address of the Beacon contract.
     */
    function setCollateralEscrowBeacon(address _collateralEscrowBeacon)
        external
        reinitializer(2)
    {
        collateralEscrowBeacon = _collateralEscrowBeacon;
    }

Mitigation

for setCollateralEscrowBeacon() set onlyTellerV2 modifier.