search

sherlock-audit / 2022-10-merit-circle-judging

1 stars 0 forks source link

rvierdiiev - BasePool.distributeRewards function should be restricted to not be called by anyone #41

Closed sherlock-admin closed 2 years ago

sherlock-admin commented 2 years ago

rvierdiiev

low

BasePool.distributeRewards function should be restricted to not be called by anyone

Summary

BasePool.distributeRewards function can be misused by user, so he will lost his tokens.

Vulnerability Detail

Impact

User may lose funds.

Code Snippet

function distributeRewards(uint256 _amount) external override {
        rewardToken.safeTransferFrom(_msgSender(), address(this), _amount);
        _distributeRewards(_amount);
    }

Tool used

Manual Review

Recommendation

Restrict this function to be called by government(onlyGov) or smth.