Submission Details
Impact:
Likelihood:
Admin cannot change the collector role
Root + Impact
Description
Snow::changeCollectorcan only be called by the collector, the admin cannot do any emergency change to the collector role if the collector address are compromised
@> modifier onlyCollector() {
if (msg.sender != s_collector) {
revert S__NotAllowed();
}
_;
}
@> function changeCollector(address _newCollector) external onlyCollector {
if (_newCollector == address(0)) {
revert S__ZeroAddress();
}
s_collector = _newCollector;
emit NewCollector(_newCollector);
}
Risk
Likelihood:
Low: the possibility of this to happened is certainly low, as it only happened when the collector role get hacked
Impact:
High: all the fee of the protocol would be stolen
Recommended Mitigation
+ modifier onlyCollectorAndAdmin() {
- modifier onlyCollector() {
+ if (msg.sender != s_collector && msg.sender != owner) {
- if (msg.sender != s_collector) {
revert S__NotAllowed();
}
_;
}
+ function changeCollector(address _newCollector) external onlyCollectorAndAdmin {
- function changeCollector(address _newCollector) external onlyCollector {
if (_newCollector == address(0)) {
revert S__ZeroAddress();
}
s_collector = _newCollector;
emit NewCollector(_newCollector);
}
Giving permission of changing collector role to the owner, reducing loss even if the collector get hacked.
Rewards breakdown
This contest has a flat reward structure with the following payouts:
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.