Category: Coding Mistakes
The function setWithdrawThreshold
lacks access control
Critical Severity
Critical Impact
High Likelihood
Description
The external function setWithdrawThreshold
is used to allow governance to set the withdraw threshold parameter:
function setWithdrawThreshold(uint256 _withdrawThreshold) external {
require(_withdrawThreshold < 100 * _PRECISION, "THRESHOLD_EXCEEDS_MAX");
withdrawThreshold = _withdrawThreshold;
emit WithdrawThresholdUpdated(_withdrawThreshold);
}
However, this function lacks all access control.
Impact
Anyone can update the withdraw threshold at any time.
Front-runners can cause user withdrawals to revert by setting the withdrawThreshold
to zero. Users can change the withdrawThreshold
to withdraw more than intended.
Recommendations
Add the missing onlyGov
modifier to this function.
Remediation
This issue has been acknowledged by Avantis Labs, Inc., and a fix was implemented in commit 4e5b1384↗.