sherlock-admin4
commented
2 months ago 1 comment(s) were left on this issue during the judging contest.
z3s commented:
Invalid; It's intended.
Closed sherlock-admin2 closed 2 months ago
sherlock-admin4
commented
2 months ago 1 comment(s) were left on this issue during the judging contest.
z3s commented:
Invalid; It's intended.
John_Femi
medium
Arbitrary User can claim reward fees on harvest
Summary
Any user can claim rewards call fee on harvest due to lack of access control
Vulnerability Detail
Impact
Medium impact but can leading to scavenging where attackers monitor the contract and force harvest for any fees gained
Code Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L427
Tool used
Manual Review
Recommendation
Add access control to the harvest function