Skip to content

fee_collector::collect_fee has no access control — anyone can inflate lifetime fee totals #1

Description

@abayomicornelius

fee_collector/src/lib.rs collect_fee() (around line 92) updates the persistent KEY_TOTAL accounting counter without calling require_auth() on any address, unlike withdraw and set_treasury which correctly require admin auth.

Since stellar_send calls this after transferring tokens, but nothing enforces that the caller is actually stellar_send or that a matching transfer occurred, any external account can call collect_fee(token, amount) directly to corrupt get_total_collected, which is used for treasury/indexer reporting per the README's events table. This should require auth from a configured caller (e.g. the registered stellar_send contract address) or from admin.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingcontractsSmart contract logicsecuritySecurity concern

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions