Submission Details
Severity:
Two roles are given the same permission to deactivate gauges in the controller contract
Summary
Two roles are given the same permission to deactivate gauges in the controller contract
Vulnerability Details
observe the following 2 snippets of code
/**
* @notice Emergency shuts down a gauge
* @dev Only callable by emergency admin
* @param gauge Address of gauge to shut down
*/
function emergencyShutdown(address gauge) external {
if (!hasRole(EMERGENCY_ADMIN, msg.sender)) revert UnauthorizedCaller();
if (!isGauge(gauge)) revert GaugeNotFound();
gauges[gauge].isActive = false;
emit EmergencyShutdown(gauge, msg.sender);
}
/**
* @notice Toggles active status of a gauge
* @dev Only callable by gauge admin
* @param gauge Address of gauge to toggle
*/
function toggleGaugeStatus(address gauge) external onlyGaugeAdmin {
if (!isGauge(gauge)) revert GaugeNotFound();
gauges[gauge].isActive = !gauges[gauge].isActive;
emit GaugeStatusUpdated(gauge, gauges[gauge].isActive);
}
The ability to deactivate guages is given to 2 separate roles; the gauge admin and the emergency admin.
Impact
It is possiblie that the guageadmin is not authorized to deactivate gauges
Tools Used
manual review
Recommendations
Restrict the ability to deactivate gauge to just the owner is the gauge admin is not authorized to do so
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.