Closed code423n4 closed 2 years ago
There s nothing in the code suggesting that we either will or will not use a timelock.
Timelock will be used as the owner of all key contracts. This is also not a bug in the code.
As per the pre the judge's comment on a similar issue from the previous audit.
This is a risk for users that they have to take. I don't see a protocol exploit here so making this invalid.
https://github.com/code-423n4/2021-07-wildcredit-findings/issues/93#issuecomment-890592171
I stand by my judgement. Invalid.
Handle
0xRajeev
Vulnerability details
Impact
Setter functions for critical protocol parameters accessible only by privileged roles e.g. onlyOwner should consider adding timelocks so that users and other privileged roles (in the case of a multiSig) can detect upcoming changes and have the time to react to them.
Changes ownership, minRate, maxRate, lowRate and targetUtilization may have a financial or trust impact on users who should be given an opportunity to react to them by exiting/engaging without being surprised when such changes are made effective immediately.
None of the setters in the protocol have a timelock controller functionality to delay enforcement of the critical changes they make.
See similar Medium-severity finding in ConsenSys's Audit of 1inch Liquidity Protocol (https://consensys.net/diligence/audits/2020/12/1inch-liquidity-protocol/#unpredictable-behavior-for-users-due-to-admin-front-running-or-general-bad-timing)
Proof of Concept
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/external/Ownable.sol#L29-L33
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L43-L47
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L49-L53
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L55-L58
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L60-L64
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/LPTokenMaster.sol#L43-L48
Tools Used
Manual Analysis
Recommended Mitigation Steps
Consider adding timelocks to such contracts with critical setter functions.