DebtBalancer Manual Review Findings

DBR-01M: Inexistent Access Control

Description:

The transferDebt and doTransfer functions are sensitive system functions whereby the latter conducts no access control validations and the former only checks the preconditions and does not apply the caller-based access control other modules of the system do.

Example:

Copy
515/**
516 * @notice Call if loans breach their limits in order to transger debts as a remedy
517 * @param account Address of the borrower
518 * @param actId Id of the ERC1155 ACT token
519 */
520function transferDebt(address account, uint256 actId) external nonReentrant() {
521    // Add validator
522    transferDebtAllowed(account, actId);
523
524    _doTransfer(account, actId);
525}
526
527/**
528 * @notice Transfer debts for other reasons - no validity tests done
529 * @param account Address of the borrower
530 * @param actId Id of the ERC1155 ACT token
531 */
532function doTransfer(address account, uint256 actId) external nonReentrant() {
533    _doTransfer(account, actId);
534}

Recommendation:

We advise the access control of the functions to be revised and the access control of doTransfer to be restricted as it can currently cause undesired and unvalidated debt transfers by anyone.

Alleviation:

The Atomix team has stated that the transferDebt function is meant to be invoked by anyone to allow decentralization of this feature of the protocol in the future, however, the doTransfer function should only be called by privileged roles and such a check was introduced in the codebase.