The removeOracle
function updates the approvedOracles mapping before verifying the caller's authorization.
this allows unauthorized users to modify the state before the authorization check fails, which should never happen.
expect admin's NO ONE should be able to change the state, even temporarily.
it does not check if the _oracleToRemove
is present in the approvedOracles
mapping, which is redundant
the function will emit the event OracleRemved (misspelled) even though the oracle was not in the approved list, which could lead to misleading logs.
In the removeOracle
function, the state variable approvedOracles
is set to false before the function checks if the caller msg.sender is the admin(quantammAdmin). This means that even if the caller is not authorized, the state change occurs prior to the require statement, which then reverts the transaction.
Unauthorized State Modification:- unauthorized users to change the approvedOracles
mapping before the authorization check fails, potentially disrupting the contract's functionality.
Redundant State Changes:- without input validation, the function may unnecessarily modify the state
Misleading Logs:- Emitting an event for an oracle that wasn't actually approved could confuse off-chain systems and auditors.
Event Name Typo: The event OracleRemved
is misspelled; it should be OracleRemoved
Manual Review
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.