Unprotected function
Missing (or incorrectly used) modifier on a function allows an attacker to use sensitive functionality in the contract.
Attack Scenario
A contract with a changeOwner function does not label it as private and therefore
allows anyone to become the contract owner.
Mitigations
Always specify a modifier for functions.
Examples
- An
onlyOwnermodifier is defined but not used, allowing anyone to become theowner - April 2016: Rubixi allows anyone to become owner
- July 2017: Parity Wallet. For code, see initWallet
- BitGo Wallet v2 allows anyone to call tryInsertSequenceId. If you try close to MAXINT, no further transactions would be allowed. Fix: make tryInsertSequenceId private.
- Feb 2020: Nexus Mutual's Oraclize callback was unprotected—allowing anyone to call it. Oraclize triggers a rebalance to occur via Uniswap.