naps62
commented
2 years ago While this is a valid suggestion, it doesn't necessarily indicate a vulnerability in the existing approach. A timelock can indeed increase trust, but it never truly eliminates the same risk (i.e.: once the timelock finishes, the same theoretical attacks from a malicious operator could happen anyway)
r2moon
Handle
Dravee
Vulnerability details
Impact
To give more trust to users: functions that set key/critical variables should be put behind a timelock.
Proof of Concept
https://github.com/code-423n4/2022-01-sandclock/blob/main/sandclock/contracts/strategy/BaseStrategy.sol#L249-L253
Tools Used
VS Code
Recommended Mitigation Steps
Add a timelock to setter functions of key/critical variables.