search

code-423n4 / 2021-06-tracer-findings

1 stars 0 forks source link

The `setDecimals` function of `GasOracle` is permissionless #137

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

shw

Vulnerability details

Impact

The setDecimals function of GasOracle is permissionless, and thus anyone can set the state variable decimal variable to any value.

Proof of Concept

Referenced code: GasOracle.sol#L64-L66

Recommended Mitigation Steps

Consider adding a onlyOwner modifier to the setDecimals function.

raymogg commented 3 years ago

leftover artifact from when decimals was used within the GasOracle. Technically valid, but you will notice that decimals is no longer used at all, as the toWad function is not used.

For that reason this is probably a non-critical issue

cemozerr commented 3 years ago

Duplicate of https://github.com/code-423n4/2021-06-tracer-findings/issues/78

loudoguno commented 3 years ago

changed risk from 1 to 0 as per judges sheet