New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

some protected external non-view functions does not have sphereXGuardExternal() modifier #88

Open

howlbot-integration bot opened this issue Sep 20, 2024 · 2 comments

Labels

bug downgraded by judge duplicate-42 grade-b Q-12 QA (Quality Assurance) 🤖_38_group sufficient quality report

howlbot-integration bot commented Sep 20, 2024

Lines of code

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/HooksFactory.sol#L201
https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/HooksFactory.sol#L275
https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/HooksFactory.sol#L491
https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/HooksFactory.sol#L518
https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/HooksFactory.sol#L594

Vulnerability details

The sphereXGuardExternal() modifier is to be incorporated in all external protected non-view functions as stated in the comments ,

However due to an oversight , some protected external non-view functions does not have the modifier incorporated

Impact

The _sphereXValidateExternalPre() function would not be called before the function execution, bypassing security checks or transaction monitoring.

Proof of Concept

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/HooksFactory.sol#L201

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/HooksFactory.sol#L275

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/HooksFactory.sol#L491

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/HooksFactory.sol#L518

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/HooksFactory.sol#L594

Tools Used

Manual Review

Recommended Mitigation Steps

Ensure that all protected external non-view functions incorporates the sphereXGuardExternal() modifier

Assessed type

Other

The text was updated successfully, but these errors were encountered:

howlbot-integration bot added 2 (Med Risk) 🤖_38_group bug duplicate-42 sufficient quality report labels

howlbot-integration bot added a commit that referenced this issue


          air_0x issue #88

e3418cb

howlbot-integration bot closed this as completed

Contributor

c4-judge commented Oct 3, 2024

3docSec changed the severity to QA (Quality Assurance)

c4-judge added downgraded by judge QA (Quality Assurance) grade-b and removed 2 (Med Risk) labels

Contributor

c4-judge commented Oct 3, 2024

3docSec marked the issue as grade-b

C4-Staff reopened this

C4-Staff added the Q-12 label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment