Closed sherlock-admin4 closed 7 months ago
HonorLt
high
An unprotected function destroyInstance allows anyone to destroy the scheduled sale.
destroyInstance
destroyInstance function lacks access control:
function destroyInstance( address _instance ) external onlyExist(_instance) onlyIncoming(_instance) { _removeFromSales(_instance); ITokenSale(_instance).destroy(); }
Anyone can invoke this function to destroy the IDO before it starts.
The functionality is broken, it is practically impossible to set up a sale that starts in the future because anyone can cancel it.
https://github.com/sherlock-audit/2024-03-zap-protocol/blob/main/zap-contracts-labs/contracts/Admin.sol#L140
Manual Review
Add onlyRole(OPERATOR) access control modifier.
onlyRole(OPERATOR)
Duplicate of #118
HonorLt
high
Unprotected destroy of IDO
Summary
An unprotected function
destroyInstanceallows anyone to destroy the scheduled sale.Vulnerability Detail
destroyInstancefunction lacks access control:Anyone can invoke this function to destroy the IDO before it starts.
Impact
The functionality is broken, it is practically impossible to set up a sale that starts in the future because anyone can cancel it.
Code Snippet
https://github.com/sherlock-audit/2024-03-zap-protocol/blob/main/zap-contracts-labs/contracts/Admin.sol#L140
Tool used
Manual Review
Recommendation
Add
onlyRole(OPERATOR)access control modifier.Duplicate of #118