Closed code423n4 closed 3 years ago
leftover artifact from when decimals
was used within the GasOracle
. Technically valid, but you will notice that decimals is no longer used at all, as the toWad
function is not used.
For that reason this is probably a non-critical issue
changed risk from 1 to 0 as per judges sheet
Handle
shw
Vulnerability details
Impact
The
setDecimals
function ofGasOracle
is permissionless, and thus anyone can set the state variabledecimal
variable to any value.Proof of Concept
Referenced code: GasOracle.sol#L64-L66
Recommended Mitigation Steps
Consider adding a
onlyOwner
modifier to thesetDecimals
function.