Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>CetusProtocol>Informational findings>Incorrect access control
GeneralOverview
Findings
Informational (3)Incorrect access controlRedundant functionsUsing TypeName for display
DesignComponent: cetus_clmm/tick.moveComponent: cetus_clmm/factory.moveComponent: cetus_clmm/rewarder.moveComponent: cetus_clmm/pool.moveComponent: cetus_clmm/position.move
Audit ResultsAssessment Results
Category: Business Logic

Incorrect access control

Informational Impact
Informational Severity
N/A Likelihood

Description

During swap or flash-loan operations, authorized partners can use the flash_swap_with_partner or flash_loan_with_partner functions to collect fees. The pool module invokes the receive_ref_fee function to transfer fees to the partner. However, the receive_ref_fee function lacks a friend modifier, allowing anyone to call it.

/// Receive ref fee.
/// This method is called when swap and partner is provided.
public fun receive_ref_fee<T>(
    partner: &mut Partner,
    fee: Balance<T>
) {

Impact

While this access-control oversight does not directly create a security issue, it does allow public deposit of partner-fee amounts, which is not necessary.

Recommendations

Add a friend modifier to the receive_ref_fee function.

Remediation

Zellic © 2025Back to top ↑