Lack of Functionality for Signer to Revoke Delegation #11
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
🤖_primary
AI based primary recommendation
🤖_05_group
AI based duplicate group recommendation
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-11-ethena-labs/blob/main/contracts/ustb/UStbMinting.sol#L311
https://github.com/code-423n4/2024-11-ethena-labs/blob/main/contracts/ustb/UStbMinting.sol#L317
https://github.com/code-423n4/2024-11-ethena-labs/blob/main/contracts/ustb/UStbMinting.sol#L326
Vulnerability details
Impact
Proof of Concept
Root Cause:
The
UStbMinting
contract implements a system for delegating signing rights through thedelegatedSigner
mapping. This system enables smart contracts to delegate signing to other address (signer) and allows signer to accept. However, there is no mechanism for the original signer to revoke or reject a delegation once he has accepted.Relevant Code:
Problem Analysis:
removeDelegatedSigner
function only allows the benefactor to revoke the delegation, but the original signer has no equivalent function to do so.address A
) sets delegateaddress B
(signer) for signing.address B
confirms the delegation.address B
decides to remove signing rights foraddress A
, but there is no function available foraddress B
to revoke this delegation independently.Recommended Mitigation Steps
Introduce a Function for Signer-Driven Revocation:
Add a function that allows the original signer to revoke the delegation status:
The text was updated successfully, but these errors were encountered: