Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing event & timelock for critical onlyAdmin functions #101

Open
code423n4 opened this issue Oct 6, 2021 · 1 comment
Open

Missing event & timelock for critical onlyAdmin functions #101

code423n4 opened this issue Oct 6, 2021 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Warden finding

Comments

@code423n4
Copy link
Contributor

Handle

0xRajeev

Vulnerability details

Impact

onlyAdmin functions that change critical contract parameters/addresses/state should emit events and consider adding timelocks so that users and other privileged roles can detect upcoming changes (by offchain monitoring of events) and have the time to react to them.

Privileged functions in all contracts, for e.g. VaultTracker onlyAdmin, have direct financial or trust impact on users who should be given an opportunity to react to them by exiting/engaging without being surprised when changes initiated by such functions are made effective opaquely (without events) and/or immediately (without timelocks).

See similar Medium-severity finding in ConsenSys's Audit of 1inch Liquidity Protocol (https://consensys.net/diligence/audits/2020/12/1inch-liquidity-protocol/#unpredictable-behavior-for-users-due-to-admin-front-running-or-general-bad-timing)

Proof of Concept

https://github.com/Swivel-Finance/gost/blob/5fb7ad62f1f3a962c7bf5348560fe88de0618bae/test/vaulttracker/VaultTracker.sol#L36-L59

https://github.com/Swivel-Finance/gost/blob/5fb7ad62f1f3a962c7bf5348560fe88de0618bae/test/vaulttracker/VaultTracker.sol#L70-L98

https://github.com/Swivel-Finance/gost/blob/5fb7ad62f1f3a962c7bf5348560fe88de0618bae/test/vaulttracker/VaultTracker.sol#L102-L129

https://github.com/Swivel-Finance/gost/blob/5fb7ad62f1f3a962c7bf5348560fe88de0618bae/test/vaulttracker/VaultTracker.sol#L132-L138

https://github.com/Swivel-Finance/gost/blob/5fb7ad62f1f3a962c7bf5348560fe88de0618bae/test/vaulttracker/VaultTracker.sol#L144-L196

https://github.com/Swivel-Finance/gost/blob/5fb7ad62f1f3a962c7bf5348560fe88de0618bae/test/vaulttracker/VaultTracker.sol#L201-L239

and others

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add events to all possible flows (some flows emit events in callers) and consider adding timelocks to such onlyAdmin functions.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Warden finding labels Oct 6, 2021
code423n4 added a commit that referenced this issue Oct 6, 2021
@code423n4
0xRajeev issue #101
4e7160b
@JTraversa JTraversa added the duplicate Another warden found this issue label Oct 7, 2021
@0xean
Copy link
Collaborator

0xean commented Oct 15, 2021

removing duplicate mark since the (valid) suggestion to emit events on the changes made by admin calls

@0xean 0xean removed the duplicate Another warden found this issue label Oct 15, 2021
@0xean 0xean reopened this Oct 16, 2021
@0xean 0xean mentioned this issue Oct 16, 2021
Closed
@code423n4 code423n4 mentioned this issue Nov 22, 2021
Open
@code423n4 code423n4 mentioned this issue Jan 17, 2022
Open
@code423n4 code423n4 mentioned this issue Feb 21, 2022
Open
@code423n4 code423n4 mentioned this issue Apr 13, 2022
Closed
@code423n4 code423n4 mentioned this issue May 3, 2022
Open
This was referenced May 11, 2022
Open
Closed
@code423n4 code423n4 mentioned this issue Sep 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Warden finding
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@0xean @JTraversa @code423n4