Vanguard

First Flight #56

Beginner FriendlyDeFiFoundry

0 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: high

Missing owner role prevents administrative control and fee parameter modification

Author Revealed upon completion

Missing owner role prevents administrative control and fee parameter modification

Description

The project README clearly states that one of the main actors for the protocol is an owner. However there is nothing in the TokenLaunchHook contract to implement an owner. This is compounded by the fact that one of the listed responsibilities for the owner, is can modify fee parameters via administrative functions. These administrative functions are not implemented in the contract, which is a separate issue, but even if they were there would not be a way to make them only callable by the owner.

There are 2 main actors in this protocol:

1. owner:

RESPONSIBILITIES:

- deploys hook contract with launch parameters (durations, limits, penalties)

- can modify fee parameters via administrative functions

- has full administrative control over launch configuration

- monitors launch progress

Risk

Likelihood:

The missing owner role is a permanent condition from deployment - every deployment of this contract will lack administrative capabilities
Any token launch using this hook will be affected, as there is no way to implement ownership post-deployment

Impact:

This breaks the intended protocol design by not implementing one of the key specified roles, and stops their responsibilities being executed.

Proof of Concept

The TokenLaunchHook contract has no owner state variable, no Ownable inheritance, and no access control modifiers. This confirms that an owner role is not implemented.

Recommended Mitigation

Utilise the Ownable2Step abstract contract from Openzeppelin to make the TokenLaunchHook contract ownable, and set the contract deployer as the owner, as specified in the project README.

Note: The relevant Openzeppelin package can be installed by running forge install Openzeppelin/openzeppelin-contracts

+ import {Ownable2Step} from "@openzeppelin/contracts/access/Ownable2Step.sol"

constructor(

IPoolManager _poolManager,

uint256 _phase1Duration,

uint256 _phase2Duration,

uint256 _phase1LimitBps,

uint256 _phase2LimitBps,

uint256 _phase1Cooldown,

uint256 _phase2Cooldown,

uint256 _phase1PenaltyBps,

uint256 _phase2PenaltyBps

- ) BaseHook(_poolManager) {

+ ) BaseHook(_poolManager) Ownable(msg.sender) {

Rewards breakdown

nSLOC

273

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!