0xLienid
commented
2 years ago This was already identified in the TODOs around the function.
Closed code423n4 closed 1 year ago
0xLienid
commented
2 years ago This was already identified in the TODOs around the function.
0xean
commented
1 year ago closing as invalid due to the warden simply copying the TODO into an issue and not adding any value to sponsor.
Lines of code
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/TreasuryCustodian.sol#L53
Vulnerability details
Impact
DDOS to approval / withdraw mechanism
Proof of Concept
If someone who's not a policy is given the approval to withdraw funds by the custodian with the grantApproval() function anyone can revoke his approval and prevent him from withdrawing funds from the treasury. The withdraw function should allow anyone with approval to withdraw since it's not permissioned.
Recommended Mitigation Steps
Make the revoke approval function only callable by a trusted role