Vulnerability Details

The NatSpec documentation for TokenManager::withdraw indicates that the function caller must be the owner, but the function leaks access control mechanisms such as using the onlyOwner modifier. However, the function appears to be intended for use by any user wishing to withdraw their own balance, rather than being restricted exclusively to the contract owner. This leads us to conclude that the vulnerability stems from incorrect NatSpec documentation rather than missing access control mechanisms. However, this conclusion should be verified by the protocol development team.

The severity level of this issue can be rated as LOW, as has been the case in some previous audits, e.g.^[https://solodit.xyz/issues/l-07-natspec-incorrect-code4rena-rubicon-rubicon-contest-git].

Impact

Users or developers reviewing the documentation might be confused about who is authorized to call the function. This could lead to misunderstandings about the function's intended use and permissions. Other developers working with or integrating the protocol might make incorrect assumptions about access control, leading to misconfigurations or inappropriate implementations based on the erroneous NatSpec comments. Potential users might refrain from using the function if they incorrectly assume that they must have special privileges or ownership to perform withdrawals, potentially limiting the protocol's usability and adoption.

Tools Used

manual review, vscode

Recommendations

To mitigate these issues, it's crucial to ensure that the documentation accurately reflects the intended behavior and permissions of the function. Consider adjusting the NatSpec documentation and remove the @dev Caller must be owner comment: