Anyone can harvest the fees generated in the StrategyPassiveManagerVelodrome contract
Summary
Anyone can harvest the fees generated in the StrategyPassiveManagerVelodrome contracts
Vulnerability Detail
Due to the way that both of the harvest functions inside of the StrategyPassiveManagerVelodrome contract are implemented, anyone will be able to claim the fees generated in this contract for themselves. This is because they are permissionless and lack any access control.
It is stated in the contest readme file that there will be a bot responsible for frequent harvesting of accumulated fees. It is also stated that this bot will be making all of its calls to the harvest functions through private RPCs. However, it is worth noting this can not absolutely guarantee that the bot will always be the one who harvests the fees, as it can still be frontran, even when submitting its transactions through the above mentioned RPCs. Also, since the protocol is intended to be deployed on any EVM compatible chain, there is a good chance that there might not be such a service on some particular chain/s where it will be deployed to.
Impact
The protocol team will receive less fees then they should
Arabadzhiev
medium
Anyone can harvest the fees generated in the
StrategyPassiveManagerVelodrome
contractSummary
Anyone can harvest the fees generated in the
StrategyPassiveManagerVelodrome
contractsVulnerability Detail
Due to the way that both of the
harvest
functions inside of theStrategyPassiveManagerVelodrome
contract are implemented, anyone will be able to claim the fees generated in this contract for themselves. This is because they are permissionless and lack any access control.It is stated in the contest readme file that there will be a bot responsible for frequent harvesting of accumulated fees. It is also stated that this bot will be making all of its calls to the
harvest
functions through private RPCs. However, it is worth noting this can not absolutely guarantee that the bot will always be the one who harvests the fees, as it can still be frontran, even when submitting its transactions through the above mentioned RPCs. Also, since the protocol is intended to be deployed on any EVM compatible chain, there is a good chance that there might not be such a service on some particular chain/s where it will be deployed to.Impact
The protocol team will receive less fees then they should
Code Snippet
StrategyPassiveManagerVelodrome.sol#L427-L429 StrategyPassiveManagerVelodrome.sol#L433-L435
Tool used
Manual Review
Recommendation
Add access control to both
harvest
functions