Submission Details
Impact:
Likelihood:
Missing Authorization on Hook / Callback Execution Enables State Manipulation
Root + Impact
Description
-
Hook or callback functions are expected to be invoked only by the trusted pool manager as part of normal protocol execution.
Callback functions lack sender validation, allowing arbitrary external callers to trigger internal state changes without a legitimate pool action.
// @> Missing sender validation on hook execution
function beforeSwap(...) external {
// state changes
}
Risk
Likelihood:
-
Occurs whenever hook functions are externally callable
Requires no special permissions or timing assumptions
Impact:
-
Attackers can manipulate internal protection state
Undermines anti-bot, fee, or cooldown logic
Proof of Concept
// Direct external call without pool interaction
hook.beforeSwap(...);
Recommended Mitigation
Restrict hook execution to the trusted pool manager.
- remove this code
+ add this code
+ modifier onlyPoolManager() {
+ require(msg.sender == poolManager, "Unauthorized caller");
+ _;
+ }
function beforeSwap(...) external
+ onlyPoolManager
{
...
}
Rewards breakdown
nSLOC
273This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.