Closed code423n4 closed 2 years ago
All of these will be behind timelocks at the Authority level. Given this is a configuration consideration I am disputing
I have to agree with the sponsor here, the functions mentioned are clearly permissioned, however no exploit or vulnerability has been shown in this finding. The recommendation of using a timelock is welcome (and the sponsor has already made it clear they will), however in lack of any vulnerability, am going to mark the finding invalid
Lines of code
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboClerk.sol#L36-L44 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboClerk.sol#L70-L78 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboClerk.sol#L88-L96 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboSavior.sol#L75-L83
Vulnerability details
Impact
It is a good practice to give time for users to react and adjust to critical changes. A timelock provides more guarantees and reduces the level of trust required, thus decreasing risk for users. It also indicates that the project is legitimate.
Here, no timelock capabilities seem to be used:
I believe those are should've been governance functions, impacting multiple users enough to make them want to react / be notified ahead of time.
Proof of Concept
The
requiresAuth
modifier and the above image don't imply that the mentioned functions are behind a timelock.Recommended Mitigation Steps
Consider adding a timelock to
setDefaultFeePercentage()
,setCustomFeePercentageForCollateral()
,setCustomFeePercentageForSafe()
andsetMinDebtPercentageForSaving()