The `initVault` function lacks proper access control, allowing any address to call it and distribute tokens to unauthorized contracts.
Summary
The LoveToken contract lacks proper access control in the initVault function, allowing unauthorized addresses to distribute tokens. This vulnerability could lead to unauthorized token distribution, potentially resulting in financial losses and undermining the integrity of the LoveToken protocol.
Vulnerability Details
The initVault function in the LoveToken contract lacks access control checks, allowing any caller to distribute tokens to the Airdrop or Staking contracts without proper authorization.
Impact
The lack of access control in the initVault function poses a significant security risk to the LoveToken protocol. Malicious actors could exploit this vulnerability to distribute tokens to unauthorized addresses, leading to inflation of the token supply and potential financial losses for users relying on the LoveToken rewards for staking or other purposes.
Tools Used
No specific tools were used to identify this vulnerability. It was identified through manual code review and analysis.
Recommendations
Implement access control mechanisms to restrict access to the initVault function to authorized addresses only. This can be achieved by defining and managing a list of authorized addresses or contracts, using modifiers or require statements to enforce access control checks, and considering the implementation of a role-based access control (RBAC) system. Regularly review and update the list of authorized addresses to ensure that only intended contracts have permission to distribute tokens.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.