Submission Details
Severity:
Missing Access Control on `createPool`
Summary
Missing Access Control on createPool
Vulnerability Details
This function is intended to create pools. However, the access and the creation of the pools is not protected by any modifier or value checks of the pool fields.
function createPool(IDistribution.Pool calldata pool_) public {
pools.push(pool_);
}
Impact
Spaming the contract with fake pools, which may lead in some cases to a DOS attack if there is a loop on the pools
Tools Used
Manual Audit
Recommendations
Add a modifier to check if the msg.sender is an authorised user to create a pool. Also check the pool fields before adding it to the pools array.
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
`createPool` from DistributionV2.sol misses all the checks and access control available in Distribution.sol
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
`createPool` from `DistributionV2.sol` misses all the checks and access control available in `Distribution.sol`
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.