Missing access restriction on lockUnits/unlockUnits
#208
Labels
3 (High Risk)
bug
Something isn't working
filed
This issue has been filed in the main repo.
sponsor confirmed
Handle
@cmichelio
Vulnerability details
Vulnerability Details
The
Pool.lockUnits
allows anyone to steal pool tokens from amember
and assign them tomsg.sender
.Impact
Anyone can steal pool tokens from any other user.
Recommended Mitigation Steps
Add access control and require that
msg.sender
is the router or another authorized party.The text was updated successfully, but these errors were encountered: