This is inline with what the natspec comments says.
/// @notice function to see the total unredeemed rewards the basket has built up. Only the owner of the basket can view this.
But the function [basketTotalAllocatedTokens](https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Game.sol#L191) is not under protection.
ak1
medium
Game.sol: owner privileged function can be accessed by anyone.
Summary
In Game.sol, the function , some of the view functions are only accessed by the owner of the basket.
We can see this for basketAllocationInProtocol and for basketUnredeemedRewards.
This is inline with what the natspec comments says.
But the function
[basketTotalAllocatedTokens](https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Game.sol#L191)is not under protection.Here what the comment says,
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Game.sol#L188
Vulnerability Detail
Refer the summary section
Impact
Anybody can call
basketTotalAllocatedTokensand view thenrOfAllocatedTokensThis is against the privileged access.Code Snippet
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Game.sol#L188-L193
Tool used
Manual Review
Recommendation
Use
onlyBasketOwnermodifier forbasketTotalAllocatedTokens()function too.