search

code-423n4 / 2021-09-yaxis-findings

0 stars 0 forks source link

Pending strategist timelock works on next block #115

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

cmichel

Vulnerability details

The Manager.acceptStrategist function has a strict inequality check for the current block and the pending strategist time:

require(block.timestamp > setPendingStrategistTime.add(PENDING_STRATEGIST_TIMELOCK), "PENDING_STRATEGIST_TIMELOCK");

Impact

If the PENDING_STRATEGIST_TIMELOCK is set to zero, it still cannot accept the strategist using setStrategist and accept it in the same block.

Recommended Mitigation Steps

It should be require(block.timestamp >= setPendingStrategistTime.add(PENDING_STRATEGIST_TIMELOCK)

Haz077 commented 2 years ago

PENDING_STRATEGIST_TIMELOCK is constant and I think there is no plan to change it to zero because that will remove its main purpose.

uN2RVw5q commented 2 years ago

I agree with the "sponsor disputed" tag.

GalloDaSballo commented 2 years ago

Because PENDING_STRATEGIST_TIMELOCK the logic mentioned by the warden cannot happen. Disputed