Skip to content

Latest commit

 

History

History
38 lines (19 loc) · 1.34 KB

186.md

File metadata and controls

38 lines (19 loc) · 1.34 KB
Raw

Scrawny Mustard Tadpole

Medium

Allowlist Not Checked In AContractAction

Summary

There exists an allowlist when a boost is created , it defines all who can perform the action on the boost. But this allowlist is not checked in the AContractAction which holds the execute function.

Vulnerability Detail

1.) A boost is created and an allowlist is provided for the boost which acts like a whitelist for the boost ->

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L127

This can either be a allowlist or a deny list (blacklisted addresses)

2.) Imagine Alice was blacklisted for the above boost , but she can still perform the action ( contract action , moreover there is no such check in any action like EventAction ) , this is because in the AContractAction there is no check if Alice is in the blacklist or not ->

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/actions/AContractAction.sol

Impact

Blacklisted users can perform actions and claim incentives.

Code Snippet

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/actions/AContractAction.sol

Tool used

Manual Review

Recommendation

Check if the user performing the action is permitted or not.