Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect Logic in `onlyAuthorized` Modifier

chaossr

Summary

The onlyAuthorized modifier in the contract appears to contain incorrect logic for checking authorization. Specifically, the && (AND) operator is used in a way that likely results in overly restrictive access control. This could prevent authorized users from calling certain functions, as only accounts that are both operators and owners are granted access. Replacing this with the || (OR) operator would ensure that the caller is authorized if they meet either condition, as intended.

Vulnerability Details

In the following line:

if (!swan.isOperator(msg.sender) && msg.sender != owner()) {
revert Unauthorized(msg.sender);
}

The && operator checks that the caller is neither an operator nor the owner, meaning only those meeting both conditions are granted access. However, the intended logic is likely to grant access if the caller is either an operator or the owner. Changing && to || would correctly allow either of these roles to pass the check, improving function access reliability.

Impact

It impacts access control for functions protected by onlyAuthorized. If not corrected, this issue could restrict operator access, rendering these functions inaccessible.

Tools Used

Manual code review

Recommendations

Change && to || to properly grant access when the caller is either an operator or the owner, as follows:

if (!swan.isOperator(msg.sender) || msg.sender ! = owner()) {
revert Unauthorized(msg.sender);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.