search

code-423n4 / 2022-05-factorydao-findings

1 stars 1 forks source link

Beneficiary of SpeedBumpPriceGate can close the gate and hike the price for free. #278

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/SpeedBumpPriceGate.sol#L65

Vulnerability details

Impact

SpeedBumpPriceGate.sol is callable by anyone so the beneficiary can hike the price by calling it with his own ETH (which will be returned to him) or by making a flash loan to raise the price high enough that the gate is effectively closed indefinetely.

Recommended Mitigation Steps

Add access control to the gate or at least document that the beneficiary has this power.

illuzen commented 2 years ago

How does this benefit beneficiary to stop receiving funds? Mitigation doesn't make sense, how would access control prevent beneficiary from doing this thru a different address?

gititGoro commented 2 years ago

Creator doesn't have incentive. Marking invalid