web3-case-study-role-misconfiglisted

# CASE STUDY: ROLE MISCONFIGURATION IN A YIELD AGGREGATOR > Bug Class: Access Control | Severity: Critical/Medium | Payout Range: $10K–$50K > This file shows how to apply the full 10-class methodology to a real yield aggregator target. --- ## TARGET PROFILE (Anonymized) | Field | Value | |-------|-------| | Protocol Type | Yield aggregator — stablecoin → lending protocol → harvest → DEX → reward token | | Max Bounty | $50K (Critical) | | TVL | Low (fresh program, under $100K) | | Core Contracts | Vault.sol, RewardsDistributor.sol | | Program Age | ~5 days when hunted (fresh = low competition) | | Prior Audits | Firm A (16 findings, all Risk Accepted) + Firm B (18 findings, all Risk Accepted) | **Scorecard:** Max bounty (+2) + custom math (+1) + recent code (+1) + known prior audits (+1) + public source (+1) + program new (+2) = **8/10 → HUNT** **Why this scores high:** Fresh program on a live bounty platform + prior audits that accepted all risk = team is aware of issues but hasn't patched them. Hunt for what auditors missed or flagged but accepted. --- ## ARCHITECTURE + FUND FLOW ``` User deposits Stablecoin ↓ deposit(uint256 amount) Vault.sol stores: - deposits[user] += amount - totalDeposited += amount - depositTimestamp[user] = block.timestamp ↓ safeTransferFrom(user, address(this), amount) ↓ lendingProtocol.supply(stablecoin, amount, address(this), 0) Interest-bearing token accrues in Vault.sol balance ↓ (periodic) _performHarvest() aTok