Missing Verification of Ownership in `onlyLockOwner` Modifier
Summary
The onlyLockOwner modifier in the SDLPool contract lacks proper verification that the msg.sender is the actual owner of the lock. This omission could potentially lead to unauthorized access, as the modifier relies on an external parameter (_owner) without ensuring it matches the contract caller (msg.sender).
Vulnerability Details
The onlyLockOwner modifier is intended to restrict certain functions to only be callable by the owner of a lock. However, the modifier currently does not verify that msg.sender is the same as the specified _owner. This oversight could allow an attacker to bypass the intended access control mechanism by providing a different _owner address.
Impact
The lack of proper ownership verification in the onlyLockOwner modifier may lead to unauthorized access, enabling an attacker to execute functions restricted to the owner of a lock.
Tools Used
Manual
Recommendations
Include an additional check within the onlyLockOwner modifier to ensure that msg.sender is indeed the owner of the specified lock.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.