Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Irrevocable pending treasury and repair fund updates in `FeeCollector`

0xlouistsai

Summary

The FeeCollector::setTreasury and FeeCollector::setRepairFund functions allow setting a pending treasury and repair fund update. However, once a pending update is set, it cannot be revoked or canceled, leading to potential security risks if an incorrect or malicious address is configured.

Vulnerability Details

The protocol lacks a mechanism to revoke or cancel a pending treasury or repair fund update once it has been set. If an incorrect or malicious address is configured, the admin can only change it to another address, but cannot reset it to address(0).

Affected Code in FeeCollector

function applyTreasuryUpdate() external {

if (pendingTreasury.newAddress == address(0)) revert InvalidAddress();

if (block.timestamp < pendingTreasury.effectiveTime) revert UnauthorizedCaller();

treasury = pendingTreasury.newAddress;

delete pendingTreasury;

}

function applyRepairFundUpdate() external {

if (pendingRepairFund.newAddress == address(0)) revert InvalidAddress();

if (block.timestamp < pendingRepairFund.effectiveTime) revert UnauthorizedCaller();

repairFund = pendingRepairFund.newAddress;

delete pendingRepairFund;

}

Once an update is scheduled, it cannot be canceled. The only way to change the pending update is to override it with another address, preventing the admin from setting it back to address(0).

Setting the Pending Update

function setRepairFund(address newRepairFund) external override {

if (!hasRole(DEFAULT_ADMIN_ROLE, msg.sender)) revert UnauthorizedCaller();

if (newRepairFund == address(0)) revert InvalidAddress();

pendingRepairFund = PendingUpdate({

newAddress: newRepairFund,

effectiveTime: block.timestamp + TREASURY_UPDATE_DELAY

});

emit RepairFundUpdated(newRepairFund);

}

The same issue applies to setTreasury, where an admin can only set a new treasury address but cannot revoke an existing pending update.

Steps to Reproduce

Admin calls setRepairFund(newAddress), scheduling an update.
Admin realizes that the address is incorrect or potentially malicious.
Admin attempts to revoke the pending update by setting it to address(0), but this is not allowed.
The only available option is to set another valid address, but there is no way to prevent the update entirely.

Impact

Irrevocable Configuration: Once a pending update is scheduled, it cannot be revoked.
Potential Security Risks: If a malicious address is mistakenly set, the admin has no way to cancel it entirely.

Tools Used

Manual Review

Recommendations

Introduce a Revocation Mechanism

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.