The functions defined in OperatorScripts contract are external functions without any other access control.
So anyone can add operators for OperatorResolver.getOpertor() which is called in MixinOperatorResolver to use in callOperator(), which is called when submitting Orders in NestedFactory
Tools Used
Manual review
Recommended Mitigation Steps
Apply necessary access control restrictions on the functions.
Lines of code
https://github.com/code-423n4/2022-06-nested/blob/main/contracts/governance/scripts/OperatorScripts.sol
Vulnerability details
Impact
The functions defined in OperatorScripts contract are external functions without any other access control.
So anyone can add operators for OperatorResolver.getOpertor() which is called in MixinOperatorResolver to use in callOperator(), which is called when submitting Orders in NestedFactory
Tools Used
Manual review
Recommended Mitigation Steps
Apply necessary access control restrictions on the functions.