MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing acces control on the `DistributionV2::createPool()`

auditism

Summary

Missing acces control on the DistributionV2::createPool(), anyone is allowed to add a poMissing acces control on the DistributionV2::createPool()ol undesired rewards outcomes.

Vulnerability Details

The creation of a Pool should be restricted to the owner of the contract. If not, malicious pool with extremely high rewards could be registered, decreasing the value of MOR token.

https://github.com/Cyfrin/2024-01-Morpheus/blob/76898177fbedcbbf4b78b513d9fa151bbf3388de/contracts/mock/DistributionV2.sol#L17-L21

function createPool(IDistribution.Pool calldata pool_) public { //@note why this public ?
pools.push(pool_);
}

Impact

MOR tokens can be rewarded in excess.

Tools Used

Manual review

Recommendations

I suggest to add proper access control such as :

-- function createPool(IDistribution.Pool calldata pool_) public {
++ function createPool(IDistribution.Pool calldata pool_) public onlyOwner {
pools.push(pool_);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`createPool` from DistributionV2.sol misses all the checks and access control available in Distribution.sol

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`createPool` from `DistributionV2.sol` misses all the checks and access control available in `Distribution.sol`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.