Assessment reports>Avantis>Critical findings>The function ,setWithdrawThreshold, lacks access control
Category: Coding Mistakes

The function setWithdrawThreshold lacks access control

Critical Severity
Critical Impact
High Likelihood

Description

The external function setWithdrawThreshold is used to allow governance to set the withdraw threshold parameter:

function setWithdrawThreshold(uint256 _withdrawThreshold) external {
    require(_withdrawThreshold < 100 * _PRECISION, "THRESHOLD_EXCEEDS_MAX");
    withdrawThreshold = _withdrawThreshold;
    emit WithdrawThresholdUpdated(_withdrawThreshold);
}

However, this function lacks all access control.

Impact

Anyone can update the withdraw threshold at any time.

Front-runners can cause user withdrawals to revert by setting the withdrawThreshold to zero. Users can change the withdrawThreshold to withdraw more than intended.

Recommendations

Add the missing onlyGov modifier to this function.

Remediation

This issue has been acknowledged by Avantis Labs, Inc., and a fix was implemented in commit 4e5b1384.

Zellic © 2025Back to top ↑