The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Centralization Risk for trusted VaultManager can steal user's funds

lian886

Summary

The SmartVaultManager has an owner with privileged rights to change vault's owner, then can steal all vault's funds.

Vulnerability Details

The SmartVaultManager has an owner with privileged rights to change vault's owner.

function setOwner(address _newOwner) external onlyVaultManager {
owner = _newOwner;
}

The SmartVaultManager contract is a upgradeable contract. The owner of the SmartVaultManager contract can easily upgrade the SmartVaultManager contract added a function like below:

function setVaultOwner(address _to, uint256 _tokenId)external onlyOwner() {
ISmartVault(smartVaultIndex.getVaultAddress(_tokenId)).setOwner(_to);
}

So the owner of the SmartVaultManager contract can easily change all vault's owner address to his's owner address, then steal all funds.

Impact

Centralization Risk for that the owner of the SmartVaultManager contract can easily change all vault's owner address to his's owner address, then steal all funds.

Tools Used

Foundry

Recommendations

The owner of vault should not be changed by the SmartVaultManager.

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!