Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

bin2chen - changeTreasury() Lack of check and remove old #208

Open
sherlock-admin opened this issue Mar 27, 2023 · 7 comments
Open

bin2chen - changeTreasury() Lack of check and remove old #208

sherlock-admin opened this issue Mar 27, 2023 · 7 comments
Labels
Escalation Resolved This issue's escalations have been approved/rejected Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

bin2chen

medium

changeTreasury() Lack of check and remove old

Summary

changeTreasury() Lack of check and remove old

Vulnerability Detail

changeTreasury() used to set new treasury
The code is as follows:

    function changeTreasury(uint256 _marketId, address _treasury)
        public
        onlyTimeLocker
    {
        if (_treasury == address(0)) revert AddressZero();

        address[2] memory vaults = marketIdToVaults[_marketId];

        if (vaults[0] == address(0) || vaults[1] == address(0)) {
            revert MarketDoesNotExist(_marketId);
        }
        IVaultV2(vaults[0]).whiteListAddress(_treasury);
        IVaultV2(vaults[1]).whiteListAddress(_treasury);
        IVaultV2(vaults[0]).setTreasury(treasury);
        IVaultV2(vaults[1]).setTreasury(treasury);

        emit AddressWhitelisted(_treasury, _marketId);
    }

The above code has the following problem:

  1. no check whether the new treasury same as the old. If it is the same, the whitelist will be canceled.
  2. Use setTreasury(VaultFactoryV2.treasury), it should be setTreasury(_treasury)
  3. not cancel old treasury from the whitelist

Impact

whiteListAddress abnormal

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/VaultFactoryV2.sol#L228

Tool used

Manual Review

Recommendation

    function changeTreasury(uint256 _marketId, address _treasury)
        public
        onlyTimeLocker
    {
        if (_treasury == address(0)) revert AddressZero();

        address[2] memory vaults = marketIdToVaults[_marketId];

        if (vaults[0] == address(0) || vaults[1] == address(0)) {
            revert MarketDoesNotExist(_marketId);
        }

+       require(vaults[0].treasury() !=_treasury,"same"); //check same
+       IVaultV2(vaults[0]).whiteListAddress(vaults[0].treasury()); //cancel old whitelist
+       IVaultV2(vaults[1]).whiteListAddress(vaults[1].treasury()); //cancel old whitelist

        IVaultV2(vaults[0]).whiteListAddress(_treasury);
        IVaultV2(vaults[1]).whiteListAddress(_treasury);
+       IVaultV2(vaults[0]).setTreasury(_treasury);
+       IVaultV2(vaults[1]).setTreasury(_treasury);
-       IVaultV2(vaults[0]).setTreasury(treasury);
-       IVaultV2(vaults[1]).setTreasury(treasury);

        emit AddressWhitelisted(_treasury, _marketId);
    }
@github-actions github-actions bot added the Medium A valid Medium severity issue label Apr 3, 2023
@3xHarry 3xHarry added the Sponsor Confirmed The sponsor acknowledged this issue is valid label Apr 5, 2023
@dmitriia dmitriia added the Has Duplicates A valid issue with 1+ other issues describing the same vulnerability label Apr 9, 2023
@dmitriia
Copy link
Collaborator

dmitriia commented Apr 9, 2023

Keeping it separate from 435 because of whitelist observation (1)

3xHarry added a commit to Y2K-Finance/Earthquake that referenced this issue Apr 10, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 11, 2023
@pauliax
Copy link

pauliax commented Apr 11, 2023

Escalate for 10 USDC.

I believe it is unfair to leave it as a solo medium.

#410 also mentions the problem with whitelisting: "Also, probably the old treasury should be removed from the whitelist to prevent accidental abuse of privileges." but was grouped together with other issues from #435.

@sherlock-admin
Copy link
Contributor Author

Escalate for 10 USDC.

I believe it is unfair to leave it as a solo medium.

#410 also mentions the problem with whitelisting: "Also, probably the old treasury should be removed from the whitelist to prevent accidental abuse of privileges." but was grouped together with other issues from #435.

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@3xHarry
Copy link

3xHarry commented Apr 11, 2023

fix Pr: Y2K-Finance/Earthquake#137

@hrishibhat
Copy link

Escalation accepted

Added relevant duplicates based on whitelist observation

@sherlock-admin
Copy link
Contributor Author

Escalation accepted

Added relevant duplicates based on whitelist observation

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.

@sherlock-admin sherlock-admin added Escalation Resolved This issue's escalations have been approved/rejected and removed Escalated This issue contains a pending escalation labels Apr 27, 2023
@3xHarry 3xHarry added the Will Fix The sponsor confirmed this issue will be fixed label Apr 28, 2023
@IAm0x52
Copy link
Collaborator

IAm0x52 commented May 5, 2023

Fixes look good. Carousel now directly uses the treasury address sent on factory

3xHarry added a commit to Y2K-Finance/Earthquake that referenced this issue May 8, 2023
3xHarry added a commit to Y2K-Finance/Earthquake that referenced this issue May 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Escalation Resolved This issue's escalations have been approved/rejected Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Development

No branches or pull requests

6 participants