jack-the-pug
commented
2 years ago The desired behavior, not a bug.
Closed code423n4 closed 2 years ago
jack-the-pug
commented
2 years ago The desired behavior, not a bug.
Handle
Dravee
Vulnerability details
Impact
This function removes a protocol with insufficient active balance and send its remaining balance to msg.sender. However, this function is callable by anyone, for any protocol.
activeBalancesbeing internal doesn't mind it cannot be read and that its information is secret. Therefore, this can be monitored and front-run.Proof of Concept
https://github.com/code-423n4/2022-01-sherlock/blob/main/contracts/managers/SherlockProtocolManager.sol#L615-L636
Tools Used
VS Code
Recommended Mitigation Steps
Add some access control