Submission Details
Severity:
`createPool` on `DistributionV2` lack of role modifier unlike `Distribution` contract, thus open for public to create pool
Summary
createPool on DistributionV2 lack of role modifier, open for public to create pool
Vulnerability Details
createPool on DistributionV2 lack of role modifier, thus anyone can create pool, unlike Distribution contract which has onlyOwner.
File: DistributionV2.sol
18: function createPool(IDistribution.Pool calldata pool_) public {
19: pools.push(pool_);
20: }
File: Distribution.sol
73: function createPool(Pool calldata pool_) public onlyOwner {
74: require(pool_.payoutStart > block.timestamp, "DS: invalid payout start value");
75:
76: _validatePool(pool_);
77: pools.push(pool_);
78:
79: emit PoolCreated(pools.length - 1, pool_);
80: }
This is clearly a missed oversight, opening createPool accessible by public
Impact
Anyone can create pool which is not expected by protocol
Tools Used
Manual analysis
Recommendations
Add onlyOwner modifier just like Distribution::createPool
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
`createPool` from DistributionV2.sol misses all the checks and access control available in Distribution.sol
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
`createPool` from `DistributionV2.sol` misses all the checks and access control available in `Distribution.sol`
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.