Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Submission Details
Severity: low
Valid

Missing event & timelock for critical onlyOwner functions

Summary

Vulnerability Details

Impact

onlyOwner functions that change critical contract parameters/addresses/state should emit events and consider adding timelocks so that users and other privileged roles can detect upcoming changes (by offchain monitoring of events) and have the time to react to them.

Privileged functions in all contracts, for e.g. ThunderLoan onlyOwner, have direct financial or trust impact on users who should be given an opportunity to react to them by exiting/engaging without being surprised when changes initiated by such functions are made effective opaquely (without events) and/or immediately (without timelocks).

See similar Medium-severity finding in ConsenSys's Audit of 1inch Liquidity Protocol (https://consensys.net/diligence/audits/2020/12/1inch-liquidity-protocol/#unpredictable-behavior-for-users-due-to-admin-front-running-or-general-bad-timing)

Tools Used

slither

Recommendations

Check all Privileged functions in all contracts, add events to all possible flows (some flows emit events in callers) and consider adding timelocks to such onlyOwner functions.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

missing event emission updateFlashLoanFee

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.