Platform: Code4rena
Start Date: 07/07/2023
Pot Size: $121,650 USDC
Total HM: 36
Participants: 111
Period: 7 days
Judge: Picodes
Total Solo HM: 13
Id: 258
League: ETH
Rank: 87/111
Findings: 1
Award: $19.29
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Udsen
Also found by: 0x11singh99, 0xPsuedoPandit, Daniel526, Darwin, Inspecktor, Jorgect, Nyx, Praise, Tripathi, YY, catellatech, namx05, squeaky_cactus, xuwinnie
19.2867 USDC - $19.29
In the code comments, it is mentioned:
/// @notice Allows a caller to set the DrawManager if not already set. /// @dev Notice that this can be front-run: make sure to verify the drawManager after construction /// @param _drawManager The draw manager
setDrawManager allows the caller to set the DrawManager address without performing permission verification, only checking for the zero address.
As long as the current DrawManager address is not the zero address, anyone can call this function to change the DrawManager address.
This may result in unauthorized individuals or contracts being able to call withdrawReserve() to withdraw tokens.
Add appropriate permission verification to the setDrawManager function. Check the caller's permissions.
MEV
#0 - c4-judge
2023-07-18T18:29:16Z
Picodes marked the issue as duplicate of #356
#1 - c4-judge
2023-08-06T10:32:31Z
Picodes marked the issue as satisfactory