TRSRY.withdrawReserves does same validation with TRSRY.getLoan and TRSRY.withdrawReserves does not have permissioned modifier, so anyone can get loan from Treasury without any permission and dept. This is architecture problem, so I report this as medium risk.
Tools Used
Manual review
Recommended Mitigation Steps
add permissioned modifier to TRSRY.withdrawReserves
Lines of code
https://github.com/code-423n4/2022-08-olympus/blob/70d7259581fe32647293ca4ff653ca3f2ad770b6/src/modules/TRSRY.sol#L75-L102
Vulnerability details
Impact
User can get loan without permission and dept
Proof of Concept
TRSRY.withdrawReserves
does same validation withTRSRY.getLoan
andTRSRY.withdrawReserves
does not have permissioned modifier, so anyone can get loan from Treasury without any permission and dept. This is architecture problem, so I report this as medium risk.Tools Used
Manual review
Recommended Mitigation Steps
add
permissioned
modifier toTRSRY.withdrawReserves