LRT token can only be allowed

Question

LRT token can only be allowed

howlbot-integration opened this issue 2 years ago · 3 comments

howlbot-integration commented 2 years ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L364

Vulnerability details

Impact

The contract only supports adding LRT Tokens and there's no way to remove tokens.

Proof of Concept

Currently, the contract only supports adding LRT Tokens, and there's no way to remove an existing token from isTokenAllowed mapping.

    function allowToken(address _token) external onlyAuthorized {
        isTokenAllowed[_token] = true;
    }

Tools Used

Manual

Recommended Mitigation Steps

Add a param _allow to specify the value.

Assessed type

Context

Answer 1 · 2024-05-11T11:56:55.000Z

Disallowing tokens poses a critical risk in case of malicious owner, since it has the power to withdraw non allowed tokens. Also, there is no risk for users or for the team on allowing malicious tokens, or at least not proven in this submission.

Answer 2 · 2024-05-29T18:40:17.000Z

koolexcrypto changed the severity to QA (Quality Assurance)

Answer 3 · 2024-06-03T10:49:29.000Z

koolexcrypto marked the issue as grade-c