[L-2] Inconsistent Access Control: NatSpec Labels setJoinTimeout as Admin Function but Restricts to Owner
Summary
The RockPaperScissors::setJoinTimeout function is documented as an "admin function" in its NatSpec comment. The documentation(readme) also states that only an admin can update timeout. However, the function restricts access using require(msg.sender == owner()), indicating that only the contract owner can call it.
Vulnerability Details
The @notice tag describes the function as an "admin function", which usually implies it is callable by a designated admin i.e. adminAddress . This discrepancy may lead to misunderstandings about who is authorized to execute this function.
Impact
Potential misunderstanding of access control roles.
Could lead to incorrect assumptions about who has the authority to call the function.
Tools Used
Manual Review
Recommendations
There's a need for clarity on the roles each actor can perform. This needs to be consistent from the documentation to the natspec.
Appeal created
Informational
Code suggestions or observations that do not pose a direct security risk.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.