search

code-423n4 / 2022-02-tribe-turbo-findings

1 stars 0 forks source link

Timelock for critical changes #48

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboClerk.sol#L36 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboClerk.sol#L70 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboClerk.sol#L88

Vulnerability details

Impact

setDefaultFeePercentage, setCustomFeePercentageForCollateral and setCustomFeePercentageForSafe functions should have a timelock to give users time to react to the fee changes. ref: https://github.com/code-423n4/2021-11-overlay-findings/issues/120

Proof of Concept

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboClerk.sol#L36 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboClerk.sol#L70 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboClerk.sol#L88

Tools Used

Manual Analysis

Recommended Mitigation Steps

Consider adding a timelock for changes which would effect users.

Joeysantoro commented 2 years ago

This is a configuration consideration, not an issue with the code. These functions will be managed by governance modules which have timelocks associated. Disputing the issue

GalloDaSballo commented 2 years ago

Not a vulnerability