Unauthorized users can modify reward token and deposit token configurations, leading to potential manipulation, or disruption of the intended functionality
Summary
The contract exhibits an incomplete access control vulnerability in the functions setRewardTokenConfig and setDepositTokenConfig. Lack of proper access controls allows anyone to modify critical configurations, posing a significant security risk.
Vulnerability Details
Code Snippet
Impact
Unauthorized users can modify reward token and deposit token configurations, leading to potential abuse, manipulation, or disruption of the intended functionality. This can result in financial losses or compromise the integrity of the contract.
Tools Used
Manual code review.
Recommendations
Implement proper access controls to restrict the execution of setRewardTokenConfig and setDepositTokenConfig functions to only authorized addresses. Use the OpenZeppelin Ownable pattern or a modifier to check if the sender is the owner/administrator before allowing configuration updates.
By inheriting from Ownable and using the onlyOwner modifier, access is restricted to the contract owner, enhancing security by preventing unauthorized modifications to critical configurations.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.