Lack of access control in the `MErc20DelegateMadFixer` may result in unauthorized parties draining the contract's funds, leading to financial losses or disruption of protocol operations.
Impact
The sweepAll function in the MErc20DelegateMadFixer contract allows any address to sweep all underlying tokens held by the contract. This lack of access control may result in unauthorized parties draining the contract's funds, leading to financial losses or disruption of protocol operations.
Proof of Concept
The sweepAll function lacks proper access control. The only check performed is to ensure that the caller is the contract admin (msg.sender == admin). However, there are no restrictions beyond this, allowing any address to call the sweepAll function and sweep all underlying tokens held by the contract.
Tools Used
Manual
Recommended Mitigation Steps
To mitigate the risk of unauthorized fund draining, it is recommended to implement proper access control mechanisms in the sweepAll function. Access should be restricted to authorized entities only, such as the contract admin or a designated controller. Additionally, consider implementing withdrawal patterns or time locks to limit the impact of potential attacks and enhance the security of the contract.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.