search

sherlock-audit / 2024-05-beefy-cowcentrated-liquidity-manager-judging

5 stars 5 forks source link

Arabadzhiev - Anyone can harvest the fees generated in the `StrategyPassiveManagerVelodrome` contract #126

Closed sherlock-admin3 closed 2 months ago

sherlock-admin3 commented 2 months ago

Arabadzhiev

medium

Anyone can harvest the fees generated in the StrategyPassiveManagerVelodrome contract

Summary

Anyone can harvest the fees generated in the StrategyPassiveManagerVelodrome contracts

Vulnerability Detail

Due to the way that both of the harvest functions inside of the StrategyPassiveManagerVelodrome contract are implemented, anyone will be able to claim the fees generated in this contract for themselves. This is because they are permissionless and lack any access control.

It is stated in the contest readme file that there will be a bot responsible for frequent harvesting of accumulated fees. It is also stated that this bot will be making all of its calls to the harvest functions through private RPCs. However, it is worth noting this can not absolutely guarantee that the bot will always be the one who harvests the fees, as it can still be frontran, even when submitting its transactions through the above mentioned RPCs. Also, since the protocol is intended to be deployed on any EVM compatible chain, there is a good chance that there might not be such a service on some particular chain/s where it will be deployed to.

Impact

The protocol team will receive less fees then they should

Code Snippet

StrategyPassiveManagerVelodrome.sol#L427-L429 StrategyPassiveManagerVelodrome.sol#L433-L435

Tool used

Manual Review

Recommendation

Add access control to both harvest functions

sherlock-admin3 commented 2 months ago

2 comment(s) were left on this issue during the judging contest.

z3s commented:

Invalid; It's intended.

DHTNS commented:

Invalid -> works as intended