Missing access modifier in `withdraw` function
Summary
The withdraw function in the smart contract contains a discrepancy between the NatSpec documentation and the actual code implementation. The function is documented to be accessible only by the contract owner; however, there is no actual code enforcement of this restriction. This oversight may result in unauthorized withdrawals from the contract.
Vulnerability Details
The NatSpec documentation indicates that the function is restricted to the contract owner, but the function code does not implement this restriction. This represents a critical security flaw in the contract.
Impact
Unauthorized Access: Without proper access control, any user can call the
withdrawfunction, potentially draining funds intended to be withdrawn only by the owner.
Tools Used
Recommendations
Add the onlyOwner modifier to the withdraw function to enforce that only the contract owner can execute it.
Lead Judging Commences
[invalid] finding-TokenManager-withdraw-lack-access-control
Invalid, withdrawals are gated to caller context `msg.sender`, not anybody. This acts as the access control and hence "owner", to withdraw collateral/points tokens after finalization of market actions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.