The PToken absorb function is not controlled, even though there is a statement in the PToken that access control should be done.
Vulnerability Detail
The description of the absorb function says @dev This function should only be called by contracts. However, there is no access control on this function.
Impact
This function has the ability to mint PToken, which in some circumstances may benefit unrelated third parties.
innertia
medium
Lack of access control for absorb function
Summary
The PToken
absorbfunction is not controlled, even though there is a statement in the PToken that access control should be done.Vulnerability Detail
The description of the
absorbfunction says@dev This function should only be called by contracts. However, there is no access control on this function.Impact
This function has the ability to mint PToken, which in some circumstances may benefit unrelated third parties.
Code Snippet
https://github.com/sherlock-audit/2023-05-ironbank/blob/9ebf1702b2163b55479624794ab7999392367d2a/ib-v2/src/protocol/token/PToken.sol#L58-L68
Tool used
Manual Review
Recommendation
Grant appropriate access controls