Incorrect access control in startRequestCancellation function
Summary
Incorrect access control in startRequestCancellation function.
Vulnerability Details
The startRequestCancellation function has an incorrect access control modifier. It is currently marked with onlyOwner, which restricts the function to be called only by the contract owner. However, this is not the intended behavior for a bridge contract. The user who initiated the deposit should be able to start the cancellation process for their own request.
Here's the current implementation:
Impact
The onlyOwner modifier prevents regular users from initiating the cancellation of their own deposit requests.
Tools Used
Manual review
Recommendations
Remove the onlyOwner modifier and implement a check to ensure that the caller is the original depositor of the request being cancelled.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Appeal created
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.