Inconsistent Use of onlyOwner in Upgrade Functions
Summary
The _authorizeUpgrade function in Vault and OperatorVault uses the onlyOwner modifier, but there is no explicit mention or documentation of the upgrade functions or mechanisms in the contract code provided. This inconsistency can lead to confusion or misconfiguration regarding who is authorized to perform upgrades.
Vulnerability Details
In Vault.sol:
Similarly in OperatorVault.sol. While the function restricts upgrades to the contract owner, the lack of documentation and clarity on the upgrade process can cause confusion.
Impact
Potential Unauthorized Upgrades: If ownership is not correctly managed, an attacker could perform unauthorized upgrades.
Operational Confusion: Developers and operators may be unsure of the correct upgrade procedures.
Tools Used
Manual code review.
Recommendations
-
Document Upgrade Mechanism:
Provide clear documentation on how upgrades are performed.
Explain who the owner is and how ownership can be transferred.
-
Ownership Management:
Ensure that ownership is securely managed, possibly using a multi-signature wallet.
-
Event Emission:
Emit events when upgrades are authorized or performed to enhance transparency.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.