Submission Details
Severity:
Anyone can call init() potentially bricking protocol
Summary
Function can be called by anyone including malicious users.
Vulnerability Details
The function can be called by anyone including unauthorized users.
function init() external {
// Turn off Bean:Eth Minting while Multi Flow Pump catches up
delete s.wellOracleSnapshots[C.BEAN_ETH_WELL];
s.season.beanEthStartMintingSeason = s.season.current + BEAN_ETH_PUMP_CATCH_UP_SEASONS;
LibWhitelist.whitelistToken(
C.BEAN_WSTETH_WELL,
BDVFacet.wellBdv.selector,
STALK_ISSUED_PER_BDV,
0, // No need to set Stalk issued per BDV
0x01,
IGaugePointFacet.defaultGaugePointFunction.selector,
ILiquidityWeightFacet.maxWeight.selector,
BEAN_WSTETH_INITIAL_GAUGE_POINTS,
OPTIMAL_PERCENT_DEPOSITED_BDV
);
LibWhitelist.updateOptimalPercentDepositedBdvForToken(
C.BEAN_ETH_WELL,
MAX_PERCENT_DEPOSITED_BDV - OPTIMAL_PERCENT_DEPOSITED_BDV
);
LibFertilizer.beginBarnRaiseMigration(C.BEAN_WSTETH_WELL);
}
Impact
Anyone can call init() potentially bricking protocol
Tools Used
Manual Review
Recommendations
Include modifier and whitelist authorized user
Updates
Lead Judging Commences
giovannidisiena about 1 year ago
Submission Judgement Published Reason: Incorrect statement
Assigned finding tags:
Init access control
0x11singh99
about 1 year ago
giovannidisiena about 1 year ago
Submission Judgement Published Reason: Incorrect statement
Assigned finding tags:
Init access control
Prize pool breakdown
Total prize
35,000 USDC
nSLOC
1,99118 USDC / LOC
30,000 USDC
1,500 USDC
3,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.