Category: Coding Mistakes
Lack of user access control in StakeV2
Critical Severity
Critical Impact
High Likelihood
Description
The Manager contract in StakeV2.sol does not have access control. The functions addManager
and removeManager
lack any access control, allowing arbitrary addresses to be registered or removed as a manager.
function addManager(address _manager) external override {
require(!managers[_manager], "Manager already exists");
require(_manager != address(0), "Invalid address");
managers[_manager] = true;
}
function removeManager(address _manager) external override {
require(managers[_manager], "Manager does not exist");
require(_manager != address(0), "Invalid address");
managers[_manager] = false;
}
Impact
In StakeV2, the function executeRewardDistribution
can be arbitrarily utilized by users registered as managers. This means that any user can execute the reward distribution, potentially leading to a loss of funds.
Recommendations
We recommend adding some access control to ensure that only the owner or existing managers can execute the addManager
and removeManager
functions.
Remediation
This issue has been acknowledged by Sanguine Labs LTD, and a fix was implemented in commit 2d4a4596↗.