Detected unprotected variables SLITHER-W1008

Detect unprotected variable that are marked protected

Exploit Scenario

contract Buggy{

    /// @custom:security write-protection="onlyOwner()"
    address owner;

    function set_protected() public onlyOwner(){
        owner = msg.sender;
    }

    function set_not_protected() public{
        owner = msg.sender;
    }
}

owner must be always written by function using onlyOwner (write-protection="onlyOwner()"), however anyone can call set_not_protected.

Recommendation

Add access controls to the vulnerable function

Learn more

protected-vars on Slither's wiki.