Unrestricted sweepToken Function
Description
The sweepToken function is allowed to be called by anyone, potentially leading to unauthorized access and control. This is a case of improper access control, where the function's accessibility is not restricted to authorized users.
Examples
Insecure Code
solidity
function sweepToken(...) {
token.transfer(...);
}Secure Code
solidity
function sweepToken(...) {
require(msg.sender == admin, "...");
token.transfer(...);
}Remediation
Add a require statement to restrict access to the sweepToken function, such as require(msg.sender == admin, "...");
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0678 |
| Category | AccessControl |
| Severity | HIGH |
| CWE | CWE-284 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | LOW |
| Exploitability | MODERATE |
| Tags | access control, solidity |
| OWASP | N/A |
References
- https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f
- https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2
- https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/
- https://chainsecurity.com/security-audit/compound-ctoken/