Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

### [H-2] Access Control issue in protcol's critical ```Snow::changeCollector``` Function.

Author Revealed upon completion

[H-2] Access Control issue in protcol's critical Snow::changeCollector Function.

Description

The Snow::changeCollector Function can only be called by current collector.since the
collector role can claim the protocol fees of users which can lead to potential high
vulnerability if the current collector becomes malicious or compromised.

Impact:

1.Current collector can change the collector to an unauthorised or malicious address.

2.Can redirect fees to themselves or to any other unintented address.

Proof of Concept

Attack Scenario:

Current Collector can update the address of collector via changeCollector function to malicious address.

Recommended Mitigation

Protcol's critical function must be called by Owner Only.

+onlyOwner
function changeCollector(address _newCollector) external onlyOwner {
if (_newCollector == address(0)) {
revert S__ZeroAddress();
}
s_collector = _newCollector;
emit NewCollector(_newCollector);
}
Updates

Lead Judging Commences

yeahchibyke Lead Judge
4 days ago
yeahchibyke Lead Judge 1 day ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.