Missing event & timelock for critical onlyOwner functions
Summary
Vulnerability Details
Impact
onlyOwner functions that change critical contract parameters/addresses/state should emit events and consider adding timelocks so that users and other privileged roles can detect upcoming changes (by offchain monitoring of events) and have the time to react to them.
Privileged functions in all contracts, for e.g. ThunderLoan onlyOwner, have direct financial or trust impact on users who should be given an opportunity to react to them by exiting/engaging without being surprised when changes initiated by such functions are made effective opaquely (without events) and/or immediately (without timelocks).
See similar Medium-severity finding in ConsenSys's Audit of 1inch Liquidity Protocol (https://consensys.net/diligence/audits/2020/12/1inch-liquidity-protocol/#unpredictable-behavior-for-users-due-to-admin-front-running-or-general-bad-timing)
Tools Used
slither
Recommendations
Check all Privileged functions in all contracts, add events to all possible flows (some flows emit events in callers) and consider adding timelocks to such onlyOwner functions.
Lead Judging Commences
missing event emission updateFlashLoanFee
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.