Change claimFees to not use requiresAuth and instead specifically che…

…ck if the caller is the boring vault
Se7en-Seas · Apr 8, 2024 · 6d64ee3 · 6d64ee3
1 parent 506e197
commit 6d64ee3
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/src/base/Roles/AccountantWithRateProviders.sol b/src/base/Roles/AccountantWithRateProviders.sol
@@ -68,6 +68,7 @@ contract AccountantWithRateProviders is Auth, IRateProvider {
     error AccountantWithRateProviders__ManagementFeeTooLarge();
     error AccountantWithRateProviders__Paused();
     error AccountantWithRateProviders__ZeroFeesOwed();
+    error AccountantWithRateProviders__OnlyCallableByBoringVault();
 
     //============================== EVENTS ===============================
 
@@ -275,7 +276,9 @@ contract AccountantWithRateProviders is Auth, IRateProvider {
      * @notice Claim pending fees.
      * @dev This function must be called by the BoringVault.
      */
-    function claimFees(ERC20 feeAsset) external requiresAuth {
+    function claimFees(ERC20 feeAsset) external {
+        if (msg.sender != address(vault)) revert AccountantWithRateProviders__OnlyCallableByBoringVault();
+
         AccountantState storage state = accountantState;
         if (state.isPaused) revert AccountantWithRateProviders__Paused();
         if (state.feesOwedInBase == 0) revert AccountantWithRateProviders__ZeroFeesOwed();

diff --git a/test/AccountantWithRateProviders.t.sol b/test/AccountantWithRateProviders.t.sol
@@ -303,7 +303,11 @@ contract AccountantWithRateProvidersTest is Test, MainnetAddresses {
 
         address attacker = vm.addr(1);
         vm.startPrank(attacker);
-        vm.expectRevert(bytes("UNAUTHORIZED"));
+        vm.expectRevert(
+            abi.encodeWithSelector(
+                AccountantWithRateProviders.AccountantWithRateProviders__OnlyCallableByBoringVault.selector
+            )
+        );
         accountant.claimFees(WETH);
         vm.stopPrank();