{"componentChunkName":"component---node-modules-rocketseat-gatsby-theme-docs-core-src-templates-docs-query-js","path":"/manual-review/CallWhitelistApprovals-CWA","result":{"data":{"mdx":{"id":"85a562ab-044b-527b-a01f-8fe10051c876","excerpt":"CWA-01M: Insecure Whitelist Potential Type Severity Location Logical Fault CallWhitelistApprovals.sol:L26 ,  L51-L54 Description: The  CallWhitelistApprovals…","fields":{"slug":"/manual-review/CallWhitelistApprovals-CWA/"},"frontmatter":{"title":"CallWhitelistApprovals Manual Review Findings","description":"Contains all the findings that relate to manual review on the contract codebase","image":null,"disableTableOfContents":null},"body":"var _excluded = [\"components\"];\n\nfunction _extends() { _extends = Object.assign || function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\n\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\n\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n\n/* @jsxRuntime classic */\n\n/* @jsx mdx */\nvar _frontmatter = {\n  \"title\": \"CallWhitelistApprovals Manual Review Findings\",\n  \"description\": \"Contains all the findings that relate to manual review on the contract codebase\"\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n      props = _objectWithoutProperties(_ref, _excluded);\n\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"h2\", {\n    \"id\": \"span-idcwa-01mcwa-01m-insecure-whitelist-potentialspan\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#span-idcwa-01mcwa-01m-insecure-whitelist-potentialspan\",\n    \"aria-label\": \"span idcwa 01mcwa 01m insecure whitelist potentialspan permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), mdx(\"span\", {\n    id: \"CWA-01M\"\n  }, \"CWA-01M: Insecure Whitelist Potential\")), mdx(\"table\", null, mdx(\"thead\", {\n    parentName: \"table\"\n  }, mdx(\"tr\", {\n    parentName: \"thead\"\n  }, mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Type\"), mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Severity\"), mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Location\"))), mdx(\"tbody\", {\n    parentName: \"table\"\n  }, mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"/reports/arcade-xyz-protocol-implementation-64b937995ed4f90014b424b9/appendix/finding-types#logical-fault\"\n  }, \"Logical Fault\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"img\", {\n    parentName: \"td\",\n    \"className\": \"o-severity o-major\",\n    \"src\": \"https://omniscia.io/report-assets/major.png\"\n  })), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"https://github.com/arcadexyz/arcade-protocol/blob/f1eb8ae7b7595f7dc46dc785e35172d9b8f63cf0/contracts/vault/CallWhitelistApprovals.sol#L26\"\n  }, \"CallWhitelistApprovals.sol:L26\"), \", \", mdx(\"a\", {\n    parentName: \"td\",\n    \"href\": \"https://github.com/arcadexyz/arcade-protocol/blob/f1eb8ae7b7595f7dc46dc785e35172d9b8f63cf0/contracts/vault/CallWhitelistApprovals.sol#L51-L54\"\n  }, \"L51-L54\"))))), mdx(\"h3\", {\n    \"id\": \"description\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#description\",\n    \"aria-label\": \"description permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Description:\"), mdx(\"p\", null, \"The \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"CallWhitelistApprovals\"), \" contract implementation is presently insecure when utilized with an \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"AssetVault\"), \" in the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"LoanCore\"), \" context as it permits spenders to be set before an \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"AssetVault\"), \" is escrowed, essentially compromising the funds held within the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"AssetVault\"), \" after the loan has been created.\"), mdx(\"h3\", {\n    \"id\": \"impact\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#impact\",\n    \"aria-label\": \"impact permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Impact:\"), mdx(\"p\", null, \"The current implementation of \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"AssetVault\"), \" in conjunction with \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"CallWhitelistApprovals\"), \" is incompatible with the Arcade XYZ lending system.\"), mdx(\"h3\", {\n    \"id\": \"example\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#example\",\n    \"aria-label\": \"example permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Example:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-sol\",\n    \"metastring\": \"title=contracts/vault/CallWhitelistApprovals.sol highlight={11} lineNumbers=true lineOffset=41\",\n    \"title\": \"contracts/vault/CallWhitelistApprovals.sol\",\n    \"highlight\": \"{11}\",\n    \"lineNumbers\": \"true\",\n    \"lineOffset\": \"41\"\n  }, \"/**\\n * @notice Sets approval status of a given token for a spender. Note that this is\\n *         NOT a token approval - it is permission to create a token approval from\\n *         the asset vault.\\n *\\n * @param token                The token approval to set.\\n * @param spender              The token spender.\\n * @param _isApproved          Whether the spender should be approved.\\n */\\nfunction setApproval(address token, address spender, bool _isApproved) external onlyOwner {\\n    approvals[token][spender] = _isApproved;\\n    emit ApprovalSet(msg.sender, token, spender, _isApproved);\\n}\\n\")), mdx(\"h3\", {\n    \"id\": \"recommendation\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#recommendation\",\n    \"aria-label\": \"recommendation permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Recommendation:\"), mdx(\"p\", null, \"We advise a new \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mapping\"), \" to be introduced that marks a particular asset / collateral as \\\"dirty\\\". In essence, whenever \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://github.com/arcadexyz/arcade-protocol/blob/f1eb8ae7b7595f7dc46dc785e35172d9b8f63cf0/contracts/vault/CallWhitelistApprovals.sol#L51-L54\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"a\"\n  }, \"CallWhitelistApprovals::setApproval\")), \" is called it will mark the specified \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"token\"), \" as \\\"dirty\\\" permitting on-chain code to validate whether the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"token\"), \" may be compromised within an \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"AssetVault\"), \".\"), mdx(\"p\", null, \"A new \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"ISignatureVerifier\"), \" can thus be introduced to the codebase that evaluates predicates guaranteeing that the assets are not \\\"dirty\\\" and thus safe to assume that they will remain within the escrowed \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"AssetVault\"), \".\"), mdx(\"h3\", {\n    \"id\": \"alleviation-7a4e1dc948\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#alleviation-7a4e1dc948\",\n    \"aria-label\": \"alleviation 7a4e1dc948 permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Alleviation (7a4e1dc948):\"), mdx(\"p\", null, \"The Arcade XYZ team specified that they wish to retain the current functionality of the whitelist in place and that it is up to integrators as well as counterparties to validate the suitability of an \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"AssetVault\"), \" as collateral, potentially by utilizing specialized verifier contracts.\"), mdx(\"p\", null, \"We would like to note that the inclusion of a programmatic check is meant to prevent on-chain race conditions whereby a user manually assesses an \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"AssetVault\"), \" as viable and its status its changed via an on-chain race.\"), mdx(\"p\", null, \"In any case, we consider dedicated verifiers to be a suitable resolution to the vulnerability described and we would like to advise the Arcade XYZ to consider including them as part of the \\\"standard\\\" Arcade XYZ library.\"), mdx(\"p\", null, \"As the Arcade XYZ team stated that they do not wish to pursue any additional immediate action, we consider this exhibit acknowledged albeit to be re-evaluated by the Arcade XYZ team.\"), mdx(\"h3\", {\n    \"id\": \"alleviation-45ccaa43fa\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#alleviation-45ccaa43fa\",\n    \"aria-label\": \"alleviation 45ccaa43fa permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Alleviation (45ccaa43fa):\"), mdx(\"p\", null, \"The Arcade XYZ team re-evaluated this exhibit and has opted to retain their acknowledgement as programmatic checks would hinder the flexibility of the protocol and predicates have been introduced to it for this very purpose (i.e. additional validations of a particular loan agreement).\"), mdx(\"p\", null, \"As such, we consider this exhibit acknowledged with no further action pending from the Arcade XYZ team.\"));\n}\n;\nMDXContent.isMDXComponent = true;","headings":[{"depth":2,"value":"<span id=\"CWA-01M\">CWA-01M: Insecure Whitelist Potential</span>"},{"depth":3,"value":"Description:"},{"depth":3,"value":"Impact:"},{"depth":3,"value":"Example:"},{"depth":3,"value":"Recommendation:"},{"depth":3,"value":"Alleviation (7a4e1dc948):"},{"depth":3,"value":"Alleviation (45ccaa43fa):"}]}},"pageContext":{"slug":"/manual-review/CallWhitelistApprovals-CWA/","prev":{"label":"CallBlacklist.sol (CBT-M)","link":"/manual-review/CallBlacklist-CBT"},"next":{"label":"CollectionWideOfferVerifier.sol (CWO-M)","link":"/manual-review/CollectionWideOfferVerifier-CWO"}}},"staticQueryHashes":["1954253342","2328931024","2501019404","973074209"]}