ColaM12
commented
2 years ago Thanks, not see any risk on this issue. but we may change it to be called by beneficiaries only. Recommend severity: "1(Low Risk)"
Open code423n4 opened 2 years ago
ColaM12
commented
2 years ago Thanks, not see any risk on this issue. but we may change it to be called by beneficiaries only. Recommend severity: "1(Low Risk)"
0xleastwood
commented
2 years ago As this is unintended behaviour but does not seem to cause any serious issues. I think this should be 1 (Low).
Handle
jayjonah8
Vulnerability details
Impact
In OLETokenLock.sol, the release() function distributes all the allotted tokens to the beneficiaries but it can be called by anyone. This should be an admin protected function as it's very important and deals with the transfer of tokens to beneficiaries which should not be accessed by simply anyone.
Proof of Concept
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/OLETokenLock.sol#L39
Tools Used
Manual code review
Recommended Mitigation Steps
OLETokenLock.sol should inherit the Adminable.sol contract and add require(msg.sender = admin, "Not Authorized"); to the release() function.