Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Anyone can call the updatePeriod function for any gauge

escrow

Summary

The function updatePeriod is responsible for updating the period for a specific gauge within the protocol. If the current period of the gauge has elapsed, then it rolls onto the next one. If the period of the gauge which is passed in hasn't started yet, then it initialises it.

Vulnerability Details

Anybody can call this function. Simply put, this is merely an issue related to external access to the function.

contract Counter {
function updatePeriod(address gauge) external view returns(address) { return msg.sender; }
}

And we can test via Chisel:

import "src/Counter.sol";
➜ Counter counter = new Counter();
address alice = address(0x1);
address bob = address(0x2);
address gauge = address(0x3);
➜ vm.startPrank(alice);
➜ counter.updatePeriod(gauge)
Type: address
└ Data: 0x0000000000000000000000000000000000000001
➜ vm.stopPrank();
➜ vm.startPrank(bob);
➜ counter.updatePeriod(gauge)
Type: address
└ Data: 0x0000000000000000000000000000000000000002
➜ vm.stopPrank();

Impact

The problem lies here in the fact that anybody can call this functionality. This would mean that any existing gauges are subject to arbitrary change by any user who is aware of such functionality.

Tools Used

Manual review & Chisel

Recommendations

Restrict the function to internal and create a function which implements the necessary checks, or simply restrict it to a specific role like the GAUGE_ADMIN.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!