Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Initia>Discussion>Empty allowed_publishers array allows every address to publish
GeneralOverview
Findings
Critical (3)
High (12)
Medium (4)
Low (9)
Informational (3)
DiscussionGeneral DiscussionImprove AMM testsBridge executor minting powerCharge before using valuesEmpty allowed_publishers array allows every address to publishERC20Keeper with custom contractsSuggestions for additional security checksTable handle overflow leads to abort
Threat ModelWhat are threat models?stdlib
Audit ResultsSummary
AppendixProof of concept: Reference safety verifier bypass

Empty allowed_publishers array allows every address to publish

The following behavior appears to be intended. However, it is unintuitive behavior and possibly dangerous.

We wanted to note that if allowed_publishers is ever an empty array in code.move, the following code will allow any address to publish a module:

fun assert_allowed(allowed_publishers: &vector<address>, addr: address) {
    assert!(
        vector::is_empty(allowed_publishers) || vector::contains(allowed_publishers, &addr), 
        error::invalid_argument(EINVALID_ALLOWED_PUBLISHERS),
    )
}
Zellic © 2024Back to top ↑