An admin of a Pool can call claim() and setLiquidytCap() along with the Pool Delegate. This critical operation of admin status change in setAdmin function should be logged as an event for off-chain monitoring. However, such an event emission is missing here.
lucas-manuel
commented
3 years ago
Handle
0xRajeev
Vulnerability details
Impact
An admin of a Pool can call claim() and setLiquidytCap() along with the Pool Delegate. This critical operation of admin status change in setAdmin function should be logged as an event for off-chain monitoring. However, such an event emission is missing here.
Proof of Concept
https://github.com/maple-labs/maple-core/blob/355141befa89c7623150a83b7d56a5f5820819e9/contracts/Pool.sol#L329-L337
Tools Used
Manual Analysis
Recommended Mitigation Steps
Create and emit a suitable event to log admin status change in setAdmin function.