Closed code423n4 closed 2 years ago
Tomio
A user can call forceRemoveByActiveBalance() and this function didn’t verify if the caller is equal to the protocol agent, that eventually clear the remaining balance.
https://github.com/code-423n4/2022-01-sherlock/blob/main/contracts/managers/SherlockProtocolManager.sol#L615
It's a feature, not a bug:
https://github.com/code-423n4/2022-01-sherlock/blob/main/contracts/managers/SherlockProtocolManager.sol#L612-L615
jack-the-pug
commented
2 years ago
Handle
Tomio
Vulnerability details
Impact
A user can call forceRemoveByActiveBalance() and this function didn’t verify if the caller is equal to the protocol agent, that eventually clear the remaining balance.
Proof of Concept
https://github.com/code-423n4/2022-01-sherlock/blob/main/contracts/managers/SherlockProtocolManager.sol#L615