Skip to content

fix(security): implement missing access controls on withdrawTokens and initConfig#426

Open
anzzyspeaksgit wants to merge 1 commit into
ithacaxyz:mainfrom
anzzyspeaksgit:fix/issue-420
Open

fix(security): implement missing access controls on withdrawTokens and initConfig#426
anzzyspeaksgit wants to merge 1 commit into
ithacaxyz:mainfrom
anzzyspeaksgit:fix/issue-420

Conversation

@anzzyspeaksgit

Copy link
Copy Markdown

Problem

As reported in #420, two high severity security issues were identified:

  1. Orchestrator.withdrawTokens had no access controls, allowing anyone to sweep tokens from the orchestrator.
  2. MultiSigSigner.initConfig bypassed _checkKeyHash, allowing a session key to front-run the legitimate owner, initialize a malicious super-admin multisig config, and permanently lock it.

Solution

  • Orchestrator: Imported solady/auth/Ownable.sol, added Ownable inheritance, initialized the owner in a new constructor() (assigned to msg.sender), and added the onlyOwner modifier to withdrawTokens (similar to SimpleFunder).
  • MultiSigSigner: Explicitly gated initConfig to ensure that only the EOA key (contextKeyHash == bytes32(0)) or an authorized super-admin key (verified via IthacaAccount.getKey) can initialize the multisig configurations.

Closes #420

…initConfig (ithacaxyz#420)

- Added `Ownable` and `onlyOwner` modifier to `Orchestrator.withdrawTokens` to prevent unauthorized sweeping of accumulated fees/tokens
- Gated `MultiSigSigner.initConfig` so that only the EOA key (`contextKeyHash == bytes32(0)`) or super-admin keys can initialize the config, preventing front-running attacks

Closes ithacaxyz#420
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG]: Missing access control on withdrawTokens + missing auth check on initConfig

1 participant