search

code-423n4 / 2022-04-abranft-findings

0 stars 0 forks source link

lack of access modifier in BentoboxV1.transfer() #185

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/BentoBoxFlat.sol#L919

Vulnerability details

Impact

Due to the lack of access modifier in BentoboxV1.transfer(), anyone can transfer the shares to their account and can call withdrwa() function to get the funds

Proof of Concept

https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/BentoBoxFlat.sol#L919

Tools Used

manual review

Recommended Mitigation Steps

add a access modifier

cryptolyndon commented 2 years ago
0xean commented 2 years ago

closing, out of scope.