Description
Description
OffersAccessControl.sol has a function withdrawTotalLostAndFoundBalance() with the onlyLostAndFound modifier which checks if the msg.sender is the lostAndFoundAddress:
require(msg.sender == lostAndFoundAddress, "only LostAndFound is allowed to perform this operation");
However, there is a slight possibility that someone could own the private key which corresponds to 0x0 address. Then, he or she will be able to call the functions which have this modifier when the lostAndFoundAddress is not initialized.
"How msg.sender can be equal to 0 ?
Having said all this, address 0x0 is a perfectly valid address. It's just as possible that you'll find the private key to this address as to any other address. If someone does find the associated private key, yes, they'll be very rich, given this address's use as a burn address. (There's a small caveat: not all addresses have associated private keys, given the way addresses are generated. There's no way to know whether address 0x0 is one of these addresses.)"
Scenario
To exploit this vulnerability someone must own the private key which corresponds to 0x0 public key.
Impact
The impact is high, however, the possibility is low.
Reproduction
Fix
Add check that the address is initialized:
modifier onlyLostAndFound() {
require(msg.sender == lostAndFoundAddress && lostAndFoundAddress != address(0), "only LostAndFound is allowed to perform this operation");
_;
}
Ethereum address
0x09Cf79Bdf8F68739979C8c825C103A7538Bd4f4b