Timelock and events for governor functions #120
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
Comments
code423n4
added
2 (Med Risk)
|
The plan has been to have a timelock at some point in the protocol. Probably on whatever is the admin for the mothership. But this just had to be evaluated. It might be on the market contract itself, or on the addresses granted the role of admin. |
|
duplicate #64 |
|
I'm removing the duplicate in this case because issue #64 refers exclusively to the events. This issue is focused primarily on the lack of governance timelock, which has traditionally been considered a medium severity issue. |
This was referenced Feb 21, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
pauliax
Vulnerability details
Impact
There are contracts that contain functions that change important parameters of the system, e.g. OverlayV1Mothership has setOVL, initializeMarket, disableMarket, enableMarket, initializeCollateral, enableCollateral, disableCollateral, adjustGlobalParams. None of these functions emit events, nor they are timelocked. Usually, it is a good practice to give time for users to react and adjust to changes.
A similar issue was submitted in a previous contest and assigned a severity of Medium: code-423n4/2021-09-swivel-findings#101
Recommended Mitigation Steps
Consider using a timelock for critical params of the system and emitting events to inform the outside world.
The text was updated successfully, but these errors were encountered: