Closed sherlock-admin3 closed 3 months ago
Invalid, AssetsProcess.sol
is a library, not a contract and so these functions are not supposed to be called directly, but instead are only called within AccountFacet.sol
where the relevant access control is in place
Salem
High
Lack of Access Control in executeWithdraw and cancelWithdraw
Summary
The functions
executeWithdraw
andcancelWithdraw
are marked as external, allowing any address to call them. This absence of access control permits unauthorized users to execute or cancel withdrawal requests, potentially resulting in unauthorized fund transfers or denial of service attacks.Vulnerability Detail
Impact
Code Snippet
https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/AssetsProcess.sol#L167 POC