There is no restriction on how frequent/number of times allowed to set the vault address via Steaking:setVaultAddress
. If vault address is reset when there are already deposits in the vault, this could potentially cause loss of fund, loss of proper user deposit records damaging the credibility of the protocol team
In the contract Steaking:setVaultAddress
, there's a check if vault address is non-zero. However, the set vault address can be overwritten if another new vault address is used along with the same function call by the owner again. This could cause users who deposited into the earlier vault address has no proper deposit record with the updated vault address potentially a fund loss or confusion on how the protocol team has moved their funds.
Potential loss of fund and confusion to user when vault address is reset
Manual review
Implement a check if vault address is already set/exist
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.