Lack of Access Control for Arbitrator Fee Setting

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0xa3d4e5242323ee490da9b267496747be8cba6ec6bc304ffa57160a721a7d3581 Severity: low

Description: Description

The setQuestionFee function allows any address to set a per-question fee, which is intended to be managed solely by the arbitrator. However, the function is accessible to any external caller without proper access control, allowing unauthorized users to modify the fee arbitrarily. This contradicts the intended usage described in the function's documentation and the emitted event, which expects the caller to be the arbitrator. Additionally, the LogSetQuestionFee event logs can become cluttered with irrelevant entries since anyone can set arbitrary fees, making it challenging to trace legitimate changes made by the actual arbitrator.

Attachments

1. Proof of Concept (PoC)

/// @notice Function for arbitrator to set an optional per-question fee. 
    /// @dev The per-question fee, charged when a question is asked, is intended as an anti-spam measure.
    /// @param fee The fee to be charged by the arbitrator when a question is asked
    function setQuestionFee(uint256 fee) 
        stateAny() 
    external {
        arbitrator_question_fees[msg.sender] = fee;
        emit LogSetQuestionFee(msg.sender, fee);
    }

2. Revised Code

Implement proper access control within the setQuestionFee function to ensure that only the designated arbitrator can modify the fee. This will prevent unauthorized access and maintain the integrity of the fee management mechanism.

[clesaege]

You don't need access control as you are using msg.sender to find the right element of the mapping. Filtering logs is a frontend job.