In Game.sol function basketTotalAllocatedTokens() returns total allocation of basket . It should be only allowed to only owner of the basket but any one call get total allocation using other users basketId.
Vulnerability Detail
Impact
According to documentation, only the owner of the basket should be allowed to run basketTotalAllocatedTokens() but any one can call this function and can get a total allocation of other users.
SPYBOY
medium
Broken access controle in Game.sol
Summary
In Game.sol function
basketTotalAllocatedTokens()
returns total allocation of basket . It should be only allowed to only owner of the basket but any one call get total allocation using other users basketId.Vulnerability Detail
Impact
According to documentation, only the owner of the basket should be allowed to run
basketTotalAllocatedTokens()
but any one can call this function and can get a total allocation of other users.Code Snippet
basketTotalAllocatedTokens() : https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Game.sol#L191-L193
Tool used
Manual Review
Recommendation
Add
onlyBasketOwner
modifier tobasketTotalAllocatedTokens()
function