Open code423n4 opened 2 years ago
WatchPug
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/facets/shared/Access/CallProtection.sol#L8-L12
require( msg.sender == LibDiamond.diamondStorage().contractOwner || msg.sender == address(this), "NOT_ALLOWED" );
Can be changed to:
require( msg.sender == address(this) || msg.sender == LibDiamond.diamondStorage().contractOwner, "NOT_ALLOWED" );
When msg.sender != address(this), can exit earlier and avoiding more expensive check of msg.sender == LibDiamond.diamondStorage().contractOwner.
msg.sender != address(this)
msg.sender == LibDiamond.diamondStorage().contractOwner
Handle
WatchPug
Vulnerability details
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/facets/shared/Access/CallProtection.sol#L8-L12
Can be changed to:
When
msg.sender != address(this), can exit earlier and avoiding more expensive check ofmsg.sender == LibDiamond.diamondStorage().contractOwner.