setComponents function specs and logic mismatch

[code423n4]

Handle

hack3r-0m

Vulnerability details

https://github.com/code-423n4/2021-11-vader/blob/main/contracts/tokens/Vader.sol#L145 says function should be only callable by the deployer.

while in the following scenario:

• contract is created (deployer = msg.sender)
• deployer transfers ownership to address X
• X calls setComponent

X is not a deployer but can call setComponents.

Fix the comment or logic to represent the above-mentioned scenario accordingly.

[0xstormtrooper]

We think severity here is 0

[alcueca]

I see no grounds to reduce severity. Either the comment is wrong, or the state handling is wrong. Both are severity 1 issues.

[SamSteinGG]

@alcueca Can you elaborate what type of risk exists from a comment mistake? There is zero impact to the integrity of the protocol as the code behaves as intended, the "deployer" mentioned does not have any special distinction from any owner of the contract logically.