devtooligan
commented
2 years ago For this type of thing we rely on our off chain deployment checks and procedures and intentionally omit this check
Closed code423n4 closed 2 years ago
devtooligan
commented
2 years ago For this type of thing we rely on our off chain deployment checks and procedures and intentionally omit this check
alcueca
commented
2 years ago Duplicate of #34
GalloDaSballo
commented
2 years ago Similar to #91 I'll side with the sponsor over the low severity issue, but do believe there's "admin privilege" which may manifest in medium severity issus
Handle
hyh
Vulnerability details
Impact
The contract can be inoperable being instantiated with a wrong configuration. If a misset value go unnoticed it can cause various malfunctions down the road.
Proof of Concept
setSource doesn't check core configuration variables:
https://github.com/code-423n4/2022-01-yield/blob/main/contracts/Cvx3CrvOracle.sol#L36-50
Recommended Mitigation Steps
Add the checks for zero ids and addresses, possibly try to run the provided contracts