Description

The Manager contract in StakeV2.sol does not have access control. The functions addManager and removeManager lack any access control, allowing arbitrary addresses to be registered or removed as a manager.

function addManager(address _manager) external override {
    require(!managers[_manager], "Manager already exists");
    require(_manager != address(0), "Invalid address");
    managers[_manager] = true;
}

function removeManager(address _manager) external override {
    require(managers[_manager], "Manager does not exist");
    require(_manager != address(0), "Invalid address");
    managers[_manager] = false;
}

Impact

In StakeV2, the function executeRewardDistribution can be arbitrarily utilized by users registered as managers. This means that any user can execute the reward distribution, potentially leading to a loss of funds.

Recommendations

We recommend adding some access control to ensure that only the owner or existing managers can execute the addManager and removeManager functions.

Remediation

This issue has been acknowledged by Sanguine Labs LTD, and a fix was implemented in commit 2d4a4596↗.