Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

All swan operators can be removed and Swan ownership can be renounced breaking BuyerAgent::onlyAuthorized() modifier leaving Protocol unable to perform platform calls on buyerAgent.sol

0xw3

Summary

All swan operators can be removed and Swan ownership can be renounced breaking BuyerAgent::onlyAuthorized() modifier leaving Protocol unable to perform platform calls on buyerAgent.sol

Vulnerability Details

Swan documentation states that:

* For every Buyer, there is an `onlyAuthorized` modifier that ensures the modified function is callable by `BuyerAgent` owner, or an address such that `swan.isOperator(addr)` is true. These operators simply exist so that buyer owner's dont have to be online all the time to call `purchase`, `updateState` etc., and can instead let the Swan operators call it for them. 

However if all operators are removed and swan ownership is renounced then BuyerAgent::onlyAuthorized() modifier is broken and the previous statement becames false, because there wont be swan operators anymore and cannot be added:

modifier onlyAuthorized() {
// if its not an operator, and is not an owner, it is unauthorized
if (!swan.isOperator(msg.sender) && msg.sender != owner()) {
revert Unauthorized(msg.sender);
}
_;
}

Impact

This will lead to swan protocol unable to made operations on buyerAgents
However probability is low

Tools Used

Manual Review

Recommendations

Ensure that at least one operator exists if swan ownership will be renounced or
implement a two step ownership change mechanism on swan contract

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.