Submission Details
Severity:
createPool() in DistributionV2.sol can be called by anyone
Summary
createPool() in DistributionV2.sol can be called by anyone
Vulnerability Details
Attacker can createPool () with bad parameters which would be not useful for users as the function can be called by anyone.
Impact
User deposit/stake their fund into the attacker pools which would be not useful for user. Attacker will create pool with according to their struct values.
struct Pool {
uint128 payoutStart;
uint128 decreaseInterval;
uint128 withdrawLockPeriod;
uint128 claimLockPeriod;
uint128 withdrawLockPeriodAfterStake;
uint256 initialReward;
uint256 rewardDecrease;
uint256 minimalStake;
bool isPublic;
}
Tools Used
Manual review
Recommendations
Give access control to the createPool() like you did in Distributin.sol.
https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/Distribution.sol#L73
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
`createPool` from DistributionV2.sol misses all the checks and access control available in Distribution.sol
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
`createPool` from `DistributionV2.sol` misses all the checks and access control available in `Distribution.sol`
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.