Submission Details
Impact:
Likelihood:
Unused modifier `onlyowner`
Author Revealed upon completion
Root + Impact
Description
-
External functions which can be called by
owneronly should use the defined modifieronlyowner. -
The modifier
onlyowneris defined but not approptiately appled to relevent functions. This increases management overhead.
// @>TreasureHunt.sol
modifier onlyOwner() { // defined but not used
require(msg.sender == owner, "ONLY_OWNER");
_;
}
Risk
Likelihood:
-
Reason 1: Many key functions are
onlyownercallable. -
Reason 2
Impact:
-
Impact 1: The bug increases management overhead.
-
Impact 2
Proof of Concept
The below functions can use onlyownermodifier:
// TreasureHunt.sol
function fund() external payable {
require(msg.sender==owner, "ONLY_OWNER_CAN_FUND"); // can use `onlyowner` modifier
require(msg.value > 0, "NO_ETH_SENT");
emit Funded(msg.value, address(this).balance);
}
/// @notice Pause the contract.
function pause() external {
require(msg.sender == owner, "ONLY_OWNER_CAN_PAUSE"); // can use `onlyowner` modifier
paused = true;
emit Paused(msg.sender);
}
Recommended Mitigation
Use onlyownermodifier on functions callable by owner only.
// TreasureHunt.sol
- function fund() external payable {
+ function fund() external payable onlyowner() {
- require(msg.sender==owner, "ONLY_OWNER_CAN_FUND");
require(msg.value > 0, "NO_ETH_SENT");
emit Funded(msg.value, address(this).balance);
}
/// @notice Pause the contract.
- function pause() external {
+ function pause() external onlyowner() {
- require(msg.sender == owner, "ONLY_OWNER_CAN_PAUSE");
paused = true;
emit Paused(msg.sender);
}
/// @notice Unpause the contract.
- function unpause() external {
+ function unpause() external onlyowner() {
- require(msg.sender == owner, "ONLY_OWNER_CAN_UNPAUSE");
paused = false;
emit Unpaused(msg.sender);
}
Rewards breakdown
nSLOC
220This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.