F-2025-0009·access-control

Incorrect access control in TreasuryBTC::withdrawForStaking

Acknowledgedrafflelotteryvrf
TL;DR

The withdrawForStaking function uses both onlyOwner and a require(msg.sender == founder || msg.sender == owner()) check, making the founder check effectively unreachable when founder differs from owner.

Severity
MEDIUM
Impact
MEDIUM
Likelihood
MEDIUM
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

The function TreasuryBTC::withdrawForStaking has a conflicting access control design: it checks msg.sender == founder || msg.sender == owner(), but the onlyOwner modifier already restricts access to the owner. So, the founder can never call the function if they are not the owner.

solidity
function withdrawForStaking(uint256 amount) external onlyOwner {
    require(msg.sender == founder || msg.sender == owner(), "Only founder");
    // ...
}
03Section · Recommendation

Recommendation

Remove the onlyOwner modifier.

04Section · Resolution

Resolution

Nexalo: withdrawForStaking functionality has been completely removed.

Zealynx: If the founder was supposed to have withdrawal access independent of the owner, that's now lost.

ZEALYNX SECURITY · published 2025-12-22
F-2025-0009