Closed sherlock-admin4 closed 6 months ago
Hi! can anyone check this out and escalate it if possible? if not tell me why is not a valid issue
zap is going to be deployed on blast. Which implements the old selfdestruct opcode:
https://github.com/sherlock-audit/2024-03-zap-protocol-judging/issues/118#issuecomment-2024997136
0xR360
high
TokenSale instances can be destroyed by anyone before starting
Summary
Anyone can call destroyInstance function on the admin contract (zap-contracts-labs). This can cause any TokenSale created that has not started to be destroyed.
Vulnerability Detail
destroyInstance function doesn't have any protection over who is calling it. It only checks that the instance exists and it's on "Incomming" state.
Impact
This can lead to any TokenSale created that has not started to be destroyed (selfdestruct) and never used. This can be repeatedly done on every TokenSale bringing the system to a halt (DOS).
Code Snippet
https://github.com/sherlock-audit/2024-03-zap-protocol/blob/main/zap-contracts-labs/contracts/Admin.sol#L138-L143 https://github.com/sherlock-audit/2024-03-zap-protocol/blob/main/zap-contracts-labs/contracts/TokenSale.sol#L186-L194
Tool used
Manual Review
Recommendation
Add protection to the "destroyInstance" function to only be called by admin or creator of the token sale.
Duplicate of #118