[M-6] Inconsistent Access Control in `setHousePrice`
Description:
The function setHousePrice in RAACHousePrices.sol is meant to allow the owner to set the house price for a given token, as stated in the function comment. However, the actual implementation restricts this action to the oracle (onlyOracle) instead of the owner. This discrepancy creates confusion about who has the authority to update house prices.
Impact:
Misleading Documentation: The comment suggests owner control, but only the oracle can set prices. This can lead to incorrect assumptions by developers and auditors.
Potential Incorrect Role Assignment: If the intention was to give price-setting authority to the owner, using
onlyOraclemay be an implementation error, potentially limiting the contract’s flexibility.
Proof of Concept:
Recommended Mitigation:
Clarify Intent: If the oracle should set prices, update the comment to reflect that accurately.
Fix Access Control: If the owner should set prices, replace
onlyOraclewithonlyOwneror allow both roles (onlyOwnerOrOracle).
Lead Judging Commences
RAACHousePrices implementation restricts setHousePrice to oracle only despite documentation stating owner access, preventing manual price corrections during oracle failures
RAACHousePrices implementation restricts setHousePrice to oracle only despite documentation stating owner access, preventing manual price corrections during oracle failures
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.