fix: Unable to call some functions in the incentive contracts with onlyOwner modifier #132
Open
1 task done
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Package Version
0.0.0-alpha.12
Current Behavior
Summary
BoostCore.sol will always be set as the owner of Boost provided incentive contracts because the initializer is called here within _makeIncentives. Therefore any function using the onlyOwner modifier within the incentive contracts must be called by BoostCore. For example, there is no way to call drawRaffle or clawback from the BoostCore contract.
Expected Behavior
No response
Steps To Reproduce
Root Cause
createBoost is called to create a new boost. Each incentive is initialized by the call to _makeIncentives. Within _makeIncentives the initializer is called for each incentive. The initializer function within each incentive contract sets the owner as msg.sender which would be the BoostCore contract.
Internal pre-conditions
Boost is created using the out of the box incentive contract as one of the incentives including: ERC20Incentive, CGDAIncentive, ERC20VariableIncentive, and ERC1155Incentive
External pre-conditions
No response
Attack Path
User calls createBoost to create a new Boost
They choose to use an out of the box incentive contract listed above
They are initialized with BoostCore as the owner
Impact
No winner can be drawn for raffle contests through ERC20Incentive contract
Any funds in the contract that need to be rescued cannot be retrieved through clawback
PoC
Link to Minimal Reproducible Example (StackBlitz, CodeSandbox, GitHub repo etc.)
sherlock-audit/2024-06-boost-aa-wallet-judging#43
Anything else?
No response
The text was updated successfully, but these errors were encountered: