Closed sherlock-admin2 closed 2 months ago
John_Femi
medium
Any user can claim rewards call fee on harvest due to lack of access control
Medium impact but can leading to scavenging where attackers monitor the contract and force harvest for any fees gained
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L427
Manual Review
Add access control to the harvest function
1 comment(s) were left on this issue during the judging contest.
z3s commented:
Invalid; It's intended.
John_Femi
medium
Arbitrary User can claim reward fees on harvest
Summary
Any user can claim rewards call fee on harvest due to lack of access control
Vulnerability Detail
Impact
Medium impact but can leading to scavenging where attackers monitor the contract and force harvest for any fees gained
Code Snippet
https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L427
Tool used
Manual Review
Recommendation
Add access control to the harvest function