It is expected that some functions may require either Owner or Delegate as callers. Now only three access options are available: onlyOwner, onlyDelegate, anyone.

[code423n4]

Handle

Sherlock

Vulnerability details

Impact

That is strange behavior that some functions are available for a Delegate, but not available for an owner himself. Like lock() and unlock() - according to the understanding of the Visor's design, these functions should be available for the owner as well.

Proof of Concept

• function lock () - Lines 269-307
• function unlock () - Lines 319-352
• all other functions managing access

Tools Used

Hardhat

Recommended Mitigation Steps

To implement a modifier checking if a caller either the Owner or Delegate. Revert if someone else is calling. Then carefully check all functions and add this new modifier when it is needed.

[ghost]

sponsor disputed Lock and Unlock require signature of owner account. They are meant to be called by 3rd parties which possess this signature. These methods are not intended to be invoked by owner account.

[ghoul-sol]

Permission data are included in a function call, invalid