Omniscia Evergon Labs Audit
UniformlyProvidedVestingFacet Manual Review Findings
UniformlyProvidedVestingFacet Manual Review Findings
UPV-01M: Inexistent Access Control Restriction
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | UniformlyProvidedVestingFacet.sol:L18-L20, L22-L24 |
Description:
The UniformlyProvidedVestingFacet functions are exposed without any access control via the DelegateCallee dependency, permitting significant manipulation of a campaign's vesting system as well as permitting anyone's fractions to be burned for the underlying assets.
Impact:
The UniformlyProvidedVestingFacet implementation does not implement proper access control for two highly sensitive function implementations that deal with funds.
Example:
18function setAndCheckDoVestingActions(bytes calldata postFractionDoVestingActionsData) external {19 UniformlyProvidedVestingFacetStorage.layout().setAndCheckDoVestingActions(postFractionDoVestingActionsData);20}21
22function doVestingActions(uint256 campaignId, uint256 idToBurn, address account, uint256 amountOfFractions) external {23 UniformlyProvidedVestingFacetStorage.layout().doVestingActions(campaignId, idToBurn, account, amountOfFractions);24}Recommendation:
We advise the system to properly enforce the DelegateCallee::onlyExternalDelegateCall and DelegateCallee::onlyInternalDelegateCall modifiers for the UniformlyProvidedVestingFacet::setAndCheckDoVestingActions and UniformlyProvidedVestingFacet::doVestingActions functions respectively, preventing unauthorized invocation of those functions.
Alleviation (71cda4ccfdcfa25fb96a4565f1f8143b350dd246):
The Evergon Labs team evaluated this exhibit and opted to apply access control to both functions that marks them as internally-accessible via the relevant delegate-call based access control mechanism thus alleviating this exhibit.