Closed code423n4 closed 2 years ago
Duplicated : #91 for the missing event
Disputed for the timelock, as explained in the documentation (readme) :
"The contracts are owned by the TimelockController contract from OpenZeppelin, set with a 7-days delay. This ensures the community has time to review any changes made to the protocol."
The owner of the TimelockController is a three-party multisignature wallet.
Also duplicate of : #42
Issues with events are non-critical
Handle
0x0x0x
Vulnerability details
Impact
Missing event and timelock for FeeSplitter. The admin can change Shareholder structure as he wants without notice. Any change in shareholder structure should be emitted and admin shouldn't be controlled just by a private key.
Proof of Concept
https://github.com/code-423n4/2021-11-nested/blob/5d113967cdf7c9ee29802e1ecb176c656386fe9b/contracts/FeeSplitter.sol#L103
Tools Used
Manual analysis