DoS to liquidate borrower due to incorrect logical operator in onlyManagerOrOwner
Description
The StabilityPool::onlyManagerOrOwner modifier incorrectly uses the && operator instead of ||, which results in unintended access denial for authorized users. This logic flaw prevents either managers or the owner from executing protected functions if they are not both true.
The modifier is intended to allow access if
msg.senderis either a manager or the owner.The current logic requires both conditions to be false to revert, which is contrary to the intended access control.
Impact
Access Denial: Authorized users (managers or the owner) may be unable to perform critical operations, leading to operational inefficiencies.
Security Risk: The incorrect logic could inadvertently allow unauthorized users to execute functions if access control is not properly enforced elsewhere.
Affected Parties: Managers and the owner who rely on executing privileged functions will be impacted by this access control flaw.
Recommended Mitigation
Option 1: Correct the Logical Operator
Option 2: Rename Modifier for Clarity
If the logic is intended, rename the modifier to
onlyManagerAndOwnerto reflect the requirement for both roles to be true.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.