Post deployment actions are not performed after deployment as defined in the FPS library.
Vulnerability Details
According to the FPS documentation,
function _afterDeploy(Addresses, address) internal:Specifies post-deployment actions. Such actions can include wiring contracts together, transferring ownership rights, or invoking setter functions as the deployer.
The proposal must perform post deployment actions to wiring the contracts, transferring ownership and or invoking setter function as deployer. But in current implementation the contract mipm17 doesn't perform any post deployment actions which makes the proposal incomplete as the contracts that are deployed are not coupled and ownership isn't handled after deployment.
Impact
Ownership of the proposal isn't handled properly.
Contracts that are to be deployed using the proposal aren't wired as it should be done with
afterDeploy()function.
Tools Used
Manual Review
Recommendations
Perform post deployment actions as suggested by the project:
Reference Implementation: https://docs.soliditylabs.io/forge-proposal-simulator/guides/multisig-proposal
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.