Skip to content

Modifying utilitytoken would result in loss of user assets #241

New issue
New issue
Closed
Closed
Modifying utilitytoken would result in loss of user assets#241
Labels
QA (Quality Assurance)Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntaxbugSomething isn't workingdisagree with severitySponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)duplicateThis issue or pull request already existsresolvedFinding has been patched by sponsor (sponsor pls link to PR containing fix)respondedThe Holograph team has reviewed and respondedsponsor confirmedSponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
@code423n4

Description

@code423n4
code423n4
opened on Oct 25, 2022

Lines of code

https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographOperator.sol#L1049-L1053

Vulnerability details

Impact

The administrator can set utilityToken at will without any restrictions. Modifications impress the assets of the operator. For example, previously utilityToken was a high-price utilitytoken, and the user bondUtilityToken() would send high-price tokens. Then the administrator can modify the utilityToken to a lower-priced one. The operator then does unbondUtilityToken(), which can only get tokens that have a lower price than before or that have no value.

Proof of Concept

  function setUtilityToken(address utilityToken) external onlyAdmin {
    assembly {
      sstore(_utilityTokenSlot, utilityToken) //@audit 
    }
  }

Tools Used

vscode

Recommended Mitigation Steps

Add a time lock or determine whether an operator currently exists

Metadata

Metadata

Assignees

No one assigned

    Labels

    QA (Quality Assurance)Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntaxbugSomething isn't workingdisagree with severitySponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)duplicateThis issue or pull request already existsresolvedFinding has been patched by sponsor (sponsor pls link to PR containing fix)respondedThe Holograph team has reviewed and respondedsponsor confirmedSponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions