Submission Details
Severity:
Multiple missing checks while setting the CurveCrvvault
Summary
The setCurveVault function doesn't implement all the needed checks it needs to avoid vulnerabilities
Vulnerability Details
The setCurveVault only implements a zero check as seen here
function setCurveVault(address newVault) external onlyOwner {
require(newVault != address(0), "Invalid vault address");
address oldVault = address(curveVault);
curveVault = ICurveCrvUSDVault(newVault);
emit CurveVaultUpdated(oldVault, newVault);
}
Compare this to the `setStabilityPool` function that implements a zero address check alongside a check making sure that the oldStabilityPool != the new stabilityPool being passed in as a parameter
function setStabilityPool(address newStabilityPool) external onlyOwner {
if (newStabilityPool == address(0)) revert AddressCannotBeZero();
if (newStabilityPool == stabilityPool) revert SameAddressNotAllowed();
address oldStabilityPool = stabilityPool;
stabilityPool = newStabilityPool;
emit StabilityPoolUpdated(oldStabilityPool, newStabilityPool);
}
Impact
This would cause the old CurveVault to still remain and the function would still execute like it's changed
Tools Used
Manual Analysis
Recommendations
Add a check that ensures that oldCurveVault != newCurveVault
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.