search

code-423n4 / 2022-06-badger-findings

0 stars 0 forks source link

Access control modifier can be bypassed #147

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L370-L375 https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L390-L394

Vulnerability details

Impact

The whenNotPaused modifier in manualProcessExpiredLocks() can be bypassed simply by calling performUpkeep(...) with any argument. Those two functions do the same.

Tools Used

Manual analysis

Recommended Mitigation Steps

If the design is not to allow such such call when paused, a whenNotPaused modifier should be used also in performUpkeep(...).

GalloDaSballo commented 2 years ago

Agree with code inconsistency, disagree with any vulnerability, if anything we should make the manualProcessLocks also open to everyone