Missing `onlyOwner` Modifier in `withdraw()` Function
Summary
The withdraw() function in the tokenManager.sol contract is intended to be called only by the admin, as indicated in the function's natspec comments. However, the function lacks the onlyOwner modifier, which is necessary to enforce this restriction.
Vulnerability Details
The withdraw() function is documented to be an admin-only function, yet it is missing the onlyOwner modifier that would ensure only the contract owner (admin) can execute it. Without this modifier, any user could potentially call the withdraw() function, leading to unauthorized withdrawals from the contract.
Code -
Impact
This could allow unauthorized users to withdraw funds from the contract, leading to a financial loss.
Tools Used
Manual Review
Recommendations
Add onlyOwner Modifier: Apply the onlyOwner modifier to the withdraw() function to ensure that only the admin can execute it.
Lead Judging Commences
[invalid] finding-TokenManager-withdraw-lack-access-control
Invalid, withdrawals are gated to caller context `msg.sender`, not anybody. This acts as the access control and hence "owner", to withdraw collateral/points tokens after finalization of market actions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.