Skip to content

Latest commit

 

History

History
32 lines (25 loc) · 1.25 KB

Permission-granting is too simplistic and not flexible enough.md

File metadata and controls

32 lines (25 loc) · 1.25 KB

The Yield Protocol contracts implement an oversimplified permission system that can be abused by the administrator.

The Yield Protocol implements several contracts that need to call privileged functions from each other.

However, there is no way to specify which operation can be called for every privileged user.

All the authorized addresses can call any restricted function, and the owner can add any number of them.

Also, the privileged addresses are supposed to be smart contracts; however, there is no check for that.

Moreover, once an address is added, it cannot be deleted.

Recommendation:

Rewrite the authorization system to allow only certain addresses to access certain functions


Slide Screenshot

139.jpg


Slide Text

  • ToB Audit Yield Finding 2
  • Access Control
  • Coarse Permissions
  • Rearchitect Permissions
  • Least Privilege

References


Tags