itsmetechjay
commented
3 years ago Withdrawn by warden. Per Thunder: "I would like to withdraw one finding as I misinterpreted something."
Closed code423n4 closed 3 years ago
itsmetechjay
commented
3 years ago Withdrawn by warden. Per Thunder: "I would like to withdraw one finding as I misinterpreted something."
Handle
pauliax
Vulnerability details
Impact
MarketPlace allows an admin to change swivel to a different address. This function has no validations, even a simple check for zero-address is missing, and there is no validation of the new address being correct. If the admin accidentally uses an invalid address for which they do not have the private key, then the system gets locked because the swivel cannot be corrected and none of the other functions that require a swivel caller can be executed. A similar issue was reported in a previous contest and was assigned a severity of medium: https://github.com/code-423n4/2021-06-realitycards-findings/issues/105
Recommended Mitigation Steps
Consider either introducing a two-step process or making a test call to swivel before updating it.