The contract lacks of a setter to disallow a token

Question

The contract lacks of a setter to disallow a token

howlbot-integration opened this issue 2 years ago · 3 comments

howlbot-integration commented 2 years ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L364-L366

Vulnerability details

Impact

Inability to disallow tokens when needed

Proof of Concept

The contract uses allowToken function to set the token true in isTokenAllowed mapping.

Contract: PrelaunchPoints.sol

364:     function allowToken(address _token) external onlyAuthorized {
365:         isTokenAllowed[_token] = true;
366:     }

Accordingly, if the token to be locked is not in the mapping, it can't be locked.

However, this function is one way and there is no way to toggle the boolean to false

For any reasons, once any token is needed to be discluded in this mapping, it won't be possible.

Tools Used

Manual Review

Recommended Mitigation Steps

Refactor the function to below;

Contract: PrelaunchPoints.sol

364:     function allowToken(address _token, bool _include) external onlyAuthorized {
-        isTokenAllowed[_token] = true;
+        isTokenAllowed[_token] = _include;
366:     }

Assessed type

Error

Answer 1 · 2024-05-19T04:27:30.000Z

This poses a security risk in case of malicious owner, since disallowedTokens can be withdrawn by owner

Answer 2 · 2024-05-31T08:24:16.000Z

koolexcrypto marked the issue as duplicate of #90

Answer 3 · 2024-05-31T08:47:44.000Z

koolexcrypto marked the issue as unsatisfactory:
Invalid