search

sherlock-audit / 2024-01-looksrare-judging

3 stars 0 forks source link

PTolev - Anyone can `cancelAfterRandomnessRequest` #145

Closed sherlock-admin closed 7 months ago

sherlock-admin commented 7 months ago

PTolev

medium

Anyone can cancelAfterRandomnessRequest

Summary

Missing access control in cancelAfterRandomnessRequest

Vulnerability Detail

The NatSpec for the cancelAfterRandomnessRequest function in IYoloV2 specify it should only be callable by the contract owner:

Only callable by contract owner.

However, this function lacks the necessary restriction, allowing anyone to call it.

Impact

Anyone can cancelAfterRandomnessRequest if he has not won the round or the result is not satisfactory to him.

Code Snippet

https://github.com/sherlock-audit/2024-01-looksrare/blob/7d76b96a58a6aee38f23bb38b8a5daa3bdc03f7c/contracts-yolo/contracts/interfaces/IYoloV2.sol#L265

https://github.com/sherlock-audit/2024-01-looksrare/blob/7d76b96a58a6aee38f23bb38b8a5daa3bdc03f7c/contracts-yolo/contracts/YoloV2.sol#L451

Tool used

Manual Review

Recommendation

    function cancelAfterRandomnessRequest() external nonReentrant {
+       _validateIsOwner();
        _validateOutflowIsAllowed();

        uint256 roundId = roundsCount;
        Round storage round = rounds[roundId];

        _validateRoundStatus(round, RoundStatus.Drawing);

        if (block.timestamp < round.drawnAt + 1 days) {
            revert DrawExpirationTimeNotReached();
        }

        round.status = RoundStatus.Cancelled;

        emit RoundStatusUpdated(roundId, RoundStatus.Cancelled);

        _startRound({_roundsCount: roundId});
    }

Duplicate of #12