Lack of access control modifier on the PriorityPool#`performUpkeep()`, which allow `anyone` to call the PriorityPool#`performUpkeep()`
Summary
Lack of access control modifier on the PriorityPool#performUpkeep(), which allow anyone to call the PriorityPool#performUpkeep().
Vulnerability Details
According to the Chainlink documentation, the performUpkeep() is supposed to be called by Chainlink Network (Chainlink Keeper).
However, within the PriorityPool#performUpkeep(), there is no access control modifier like this:
https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/core/priorityPool/PriorityPool.sol#L437
Also, within the LSTRewardsSplitter#performUpkeep(), there is also no access control modifier like this:
https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/core/lstRewardsSplitter/LSTRewardsSplitter.sol#L101
Impact
This allow anyone to be able to call the PriorityPool#performUpkeep() and the LSTRewardsSplitter#splitRewards() anytime they want, which is unexpected situation for this protocol design.
Tools Used
Manual review
Recommendations
Within both the PriorityPool#performUpkeep() and the LSTRewardsSplitter#performUpkeep(), consider adding an access control modifier (i.e. onlyKeeper modifier) in order only Chainlink Keeper to be able to call the both functions.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.