Anyone can toggle the pool status for RFPSimpleStrategy
Only pool managers are allowed to update the pool status in RFPSimpleStrategy. However, there is no access control restriction on setPoolActive, so anyone can update the pool status.
Vulnerability Detail
Only pool managers should be able to update pool status, but the onlyPoolManager modifier is missing. Anyone can set the pool to active or inactive states.
/// @notice Toggle the status between active and inactive.
/// @dev 'msg.sender' must be a pool manager to close the pool. Emits a 'PoolActive()' event.
/// @param _flag The flag to set the pool to active or inactive
function setPoolActive(bool _flag) external {
_setPoolActive(_flag);
emit PoolActive(_flag);
}
Impact
A malicious user can interfere by setting the pool with incorrect statuses and DOS a pool manager who is trying to register recipients, allocate, distribute, and withdraw.
shirochan
high
Anyone can toggle the pool status for
RFPSimpleStrategyOnly pool managers are allowed to update the pool status in
RFPSimpleStrategy. However, there is no access control restriction onsetPoolActive, so anyone can update the pool status.Vulnerability Detail
Only pool managers should be able to update pool status, but the
onlyPoolManagermodifier is missing. Anyone can set the pool to active or inactive states.Impact
A malicious user can interfere by setting the pool with incorrect statuses and DOS a pool manager who is trying to register recipients, allocate, distribute, and withdraw.
Code Snippet
setPoolActive implementation
Tool used
Manual Review
Recommendation
Add the
onlyPoolManagermodifier to restrict access: