Lines of code

https://github.com/code-423n4/2022-08-olympus/blob/70d7259581fe32647293ca4ff653ca3f2ad770b6/src/modules/TRSRY.sol#L75-L102

Vulnerability details

Impact

User can get loan without permission and dept

Proof of Concept

TRSRY.withdrawReserves does same validation with TRSRY.getLoan and TRSRY.withdrawReserves does not have permissioned modifier, so anyone can get loan from Treasury without any permission and dept. This is architecture problem, so I report this as medium risk.

Tools Used

Manual review

Recommended Mitigation Steps

add permissioned modifier to TRSRY.withdrawReserves

code-423n4 / 2022-08-olympus-findings