Vanguard

First Flight #56

Beginner FriendlyDeFiFoundry

0 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Missing Authorization on Hook / Callback Execution Enables State Manipulation

Author Revealed upon completion

Root + Impact

Description

Hook or callback functions are expected to be invoked only by the trusted pool manager as part of normal protocol execution.

Callback functions lack sender validation, allowing arbitrary external callers to trigger internal state changes without a legitimate pool action.

// @> Missing sender validation on hook execution

function beforeSwap(...) external {

// state changes

}

Risk

Likelihood:

Occurs whenever hook functions are externally callable

Requires no special permissions or timing assumptions

Impact:

Attackers can manipulate internal protection state

Undermines anti-bot, fee, or cooldown logic

Proof of Concept

// Direct external call without pool interaction

hook.beforeSwap(...);

Recommended Mitigation

Restrict hook execution to the trusted pool manager.

- remove this code

+ add this code

+ modifier onlyPoolManager() {

+ require(msg.sender == poolManager, "Unauthorized caller");

+ _;

+ }

function beforeSwap(...) external

+ onlyPoolManager

{

...

}

Rewards breakdown

nSLOC

273

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!