Description

The callbackAuthorized mapping dictates which msg.sender is allowed to perform callbacks on a specific market, and it is set via the setCallbackAuthStatus function. The status of this authorization is only checked when the market is created, despite the fact that the msg.sender can lose their rights to perform callbacks in the meanwhile, should the owner decide so.

Currently, there are no checks whatsoever, in any of the accompanying contracts, for whether the msg.sender is allowed to perform callbacks on a market.

function _createMarket(MarketParams memory params_) internal returns (uint256) {
    {
        // Check that the auctioneer is allowing new markets to be created
        if (!allowNewMarkets) revert Auctioneer_NewMarketsNotAllowed();

        // Ensure params are in bounds
        uint8 payoutTokenDecimals = params_.payoutToken.decimals();
        uint8 quoteTokenDecimals = params_.quoteToken.decimals();

        if (payoutTokenDecimals < 6 || payoutTokenDecimals > 18)
            revert Auctioneer_InvalidParams();
        if (quoteTokenDecimals < 6 || quoteTokenDecimals > 18)
            revert Auctioneer_InvalidParams();
        if (params_.scaleAdjustment < -24 || params_.scaleAdjustment > 24)
            revert Auctioneer_InvalidParams();

        // Restrict the use of a callback address unless allowed
        if (!callbackAuthorized[msg.sender] && params_.callbackAddr != address(0))
            revert Auctioneer_NotAuthorized();
    }
    // ...
}

Impact

Allowing previously whitelisted msg.sender to perform callbacks may result in undesired actions on behalf of the market it previously represented, potentially leading to financial losses.

Recommendations

We recommend assuring that once a user has been unwhitelisted, they can no longer perform actions on behalf of the market they originally represented.

Remediation

Bond Labs acknowledged this finding and implemented a fix in commit 00ddf327↗.