If someone who's not a policy is given the approval to withdraw funds by the custodian with the grantApproval() function anyone can revoke his approval and prevent him from withdrawing funds from the treasury. The withdraw function should allow anyone with approval to withdraw since it's not permissioned.
Recommended Mitigation Steps
Make the revoke approval function only callable by a trusted role
Lines of code
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/TreasuryCustodian.sol#L53
Vulnerability details
Impact
DDOS to approval / withdraw mechanism
Proof of Concept
If someone who's not a policy is given the approval to withdraw funds by the custodian with the grantApproval() function anyone can revoke his approval and prevent him from withdrawing funds from the treasury. The withdraw function should allow anyone with approval to withdraw since it's not permissioned.
Recommended Mitigation Steps
Make the revoke approval function only callable by a trusted role